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Crockett 

"Your value will rise as you apply your 
expertise to helping your company realize 
the potential of cloud computing." 


IT PRO PERSPECTIVES 


Securing Your Position in the Cloud 

How to make sure your skill set is transferable 


A s a savvy IT pro, you've likely moved beyond your 
fear of cloud computing as a career-killer, right? If 
you still have lingering doubts, or you just need a 
specific plan of action to ensure that your career is 
cloud-proof, start with these tips to get smart about 
cloud computing. As feff fames writes this month 
in his Business Technology Perspectives column (page 5), busi¬ 
nesses are continuing to move services to a cloud-based model 
for a variety of reasons. Your assignment is to figure out how you 
fit into this new model. 

Review the basics. The most confusing aspect of cloud com¬ 
puting could be the terms used to describe it. Although terms can 
change, the basic concepts that underlie cloud computing are few, 
but critical to understand. The first is Infrastructure as a Service 
(IaaS), in which the hardware that runs your company's business is 
managed by a service provider. The second is Software as a Service 
(SaaS), in which the software that runs your company's business 
operations is managed by a service provider. The third is Platform 
as a Service (PaaS), in which your company builds and manages 
custom solutions that run on a technology stack hosted by a service 
provider. These three scenarios offer diverse options for IT pros to 
add value with skills that transfer fairly seamlessly from traditional, 
on-premises computing—particularly data center management, 
system architecture, and application management. Cloud service 
providers need to collaborate with business-sawy IT experts at the 
client company. Your value will rise as you apply your expertise to 
helping your company realize the potential of cloud computing— 
primarily cost savings and flexibility. 

Do some homework with cloud providers. Call a few cloud 
service providers and ask how they interact with the IT pros at 
client companies. How is the IT team involved in defining the 
services? What are some successful examples of how the IT team 
helped the cloud service provider implement an optimal solution? 
Your conversation will be extremely helpful when your company 
decides to engage a cloud service provider. Or it could lead to a new 
position for you managing a cloud service provider's data center. 

Understand licensing models. Software licensing models 
are notoriously difficult to understand, causing companies to get 
stuck with a larger bill than they bargained for after all the internal 
users, branch offices, and remote workers have been accounted 
for. Help your company accurately scope cloud-based licensing 
costs by applying your lessons learned in rolling out on-premises 
software licenses. 


Become an expert on SLAs. The success of your company's 
cloud strategy depends on the ability of the service provider to per¬ 
form as expected. Become involved in the process of defining the 
SLA to ensure that your company's data is secure, your company's 
intellectual property is protected, and any performance-based 
interruptions in business services are adequately compensated. 
Although some companies bring in contract negotiators to execute 
agreements with service providers, your familiarity with the IT 
infrastructure and line-of-business applications can prove invalu¬ 
able as your company pursues an agreement that has enough 
teeth to provide real protection and reflects your company's critical 
business dependencies. 

Embrace cloud-based office productivity tools. Web-based 
office applications such as Google Apps and Microsoft's new Office 
365 suite simply make sense. They're good for business (particu¬ 
larly for small and medium-sized businesses), put an enormous 
amount of power in the hands of the users, and make life easier 
for IT pros who manage user desktops. To help kick-start your 
company's use of cloud-powered apps, explore the tools yourself 
and—once again—make sure you understand the licensing mod¬ 
els and service agreements. (For an overview of Office 365 pric¬ 
ing, check out Paul Thurrott's article "Hands On with Office 365" 
(InstantDoc ID 128920). 

Learn and network at a conference. For a crash course in 
cloud computing, join us in Las Vegas April 17-21 for our first 
Cloud Connections conference, co-located with Mobile Con¬ 
nections and Virtualization Connections. You can enroll in 
pre-conference workshops for a deep dive in cloud identity man¬ 
agement, hear the market predictions from experts at Microsoft, 
IBM, Amazon Web Services, Cloud Security Alliance, and Cloud 
.com, and network with other IT pros exploring cloud comput¬ 
ing. Check out the conference speakers and sessions at www 
.cloudconnections.com. 

Do you have tips to share for how you transferred your skills 
to a cloud computing scenario? Send your thoughts to me via 
email at michele.crockett@penton.com. And follow me on Twitter 
@michelecrockett. ^ 

InstantDoc ID 129267 
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James 

"Many organizations are eagerly recruiting 
skilled IT professionals who not only have a 
grasp of the technical aspects of in-house IT, but 
can also champion and facilitate the adoption of 
cloud computing products and services." 

Why IT Is Moving to the Cloud 

The driving factors behind cloud computing adoption include improved agility, cost 
savings and ROI, and an increase in cloud-savvy IT staff 



I f you're an IT manager or senior IT executive in the evalu¬ 
ation phase for turning over some of your infrastructure to 
the cloud, you're not alone. Cloud adoption can vary by 
industry and organization, but cloud computing is rapidly 
making inroads into most organizations. According to a 
recent survey of 600 senior IT and business executives by 
Sawis, 70 percent of IT decision makers are using or plan to use 
cloud computing in their own enterprises within 24 months. 

While concerns about security, identity, SLAs, and other top¬ 
ics are still on the minds of many IT professionals, those concerns 
are gradually being addressed by cloud providers. In her IT Pro 
Perspectives column, my colleague, Michele Crockett, writes on 
page 4 about the skills that IT professionals need to fit into the new 
cloud economy, as cloud-sawy IT staff is essential to successful 
cloud adoption. 

While cloud computing may not be a complete solution for 
every enterprise—nobody is talking about ditching internal data 
centers yet, and probably never will—a number of pressing factors 
are driving the growth of cloud computing. I will cover some of the 
biggest drivers towards cloud computing adoption here. 

Improved IT agility. As recently as a few years ago, it took 
far too long for many IT departments to respond to increasing 
demand for computing capacity. Too much paperwork, too many 
approvals, and a reliance on hard-to-deploy physical servers 
meant that IT was often slow to respond to variable organizational 
needs. Virtualization helped that situation immensely, and the 
arrival of cloud computing gives IT organizations even more of an 
ability to easily (and cost-effectively) expand and reduce comput¬ 
ing resources to meet fluctuating demands. 

Cost savings and ROI. Cloud computing isn't a panacea, but 
there are clear-cut cases where moving part of your IT infrastruc¬ 
ture to the cloud makes solid operational and financial sense. 
Here at Penton Media we recently moved from a cumbersome 
legacy email newsletter tool—developed in house—that required 
an ongoing (and expensive) commitment in terms of user training 
and application maintenance to a new cloud-based email newslet¬ 
ter solution. If you have legacy software applications in your own 
organization, are they really worth the time, expense, and human 
capital needed to keep them running when superior cloud-based 
alternatives are available? 


Private cloud vs. public cloud. The concept of the private 
cloud has gathered steam over the past 12 months. Public cloud 
computing services generally rely on having your data on some¬ 
one else's infrastructure. That can be a non-starter for many IT 
administrators, especially if your organization operates under 
tricky auditing, compliance, or data location requirements. 
That's where the private cloud steps in: Leveraging virtualization 
and commodity hardware, the private cloud can provide some 
of the elastic benefits of public cloud computing without some 
of the inherent risks that public cloud computing still needs to 
address. 

Cloud-savvy IT staff. A new breed of IT professionals is step¬ 
ping into leadership positions in many organizations. Some fear 
that cloud computing could mean the end of their careers, but 
savvy IT pros realize that someone in the organization has to take 
the lead in selecting what IT platforms and services are moved to 
the cloud while simultaneously educating management and the 
rest of the organization why other elements aren't good candidates 
for cloud computing treatment. 

Many organizations are eagerly recruiting skilled IT profes¬ 
sionals who not only have a grasp of the technical aspects of 
in-house IT, but can also champion and facilitate the adoption 
of cloud computing products and services. I've heard firsthand 
that IT professionals who can simultaneously balance IT and 
tech needs while meeting the strategic needs of the business 
are a hot commodity, and business leaders should make every 
effort to retain and reward qualified staff and spend the nec¬ 
essary capital to train and reward the next generation of IT 
leadership. 

Are you an IT or business decision maker that has tips and 
advice on how you successfully moved some of your infrastruc¬ 
ture to the cloud? Send your tips, advice, and suggestions to me 
via email at jeff.james@penton.com, and follow me on Twitter 
@jeffjames3. ^ 

InstantDoc ID 129285 
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Drive Extender Removed from 
Windows Home Server 

In "Microsoft Hobbles Next Windows 
Home Server" (November 24,2010, 
InstantDoc ID 129054), PaulThurrott 
comments on Microsoft's removal of Drive 
Extender from WHS. He writes, "While 
Drive Extender was previously used only 
in a niche product, WHS, Microsoft's 
intention was to move it forward to more 
mainstream Windows Server and then 
Windows client versions. The benefits were 
to be enormous: Drive Extender could be 
used to silently and seamlessly ensure that 
each file in storage is replicated across two 
physical hard disks, helping to prevent 
data loss in the event of a hardware failure, 
and doing so without the complexities 
of RAID. And Drive Extender's storage 
pooling largely eliminated the need for 
drive letters, simplifying storage allocation 
dramatically."! think the Drobo products 
have shown that RAID doesn't have to be 
complex. And Data Robotics'BeyondRAID 
technology beats the heck out of whatever 
Microsoft is doing with WHS. Microsoft 
really should license the technology. 

—Bill Sweatt 

Mobile Device Management 

I read Brian Winstead's two articles 
regarding Exchange backup software and 
Zenprise (Buyer's Guide: Exchange Server 
Backup and Recovery Software, November 
2010, InstantDoc ID 126058 and "Manage¬ 
ment for Employee-Owned Mobile Devices," 
Exchange and Outlook Blog, August 19, 
2010, http://www.windowsitpro.com/ 
blogs/exchangeandoutlook/tabid/780/ 
entryid/13030/Management-for-Employee- 
Owned-Mobile-Devices.aspx). I like the 
way Zenprise goes about blurring the line 
between corporate and employee-owned 
mobile devices, and it seems like the 
product should be the no-brainer product 


of choice. But if I recall, Zenprise's pricing 
model leaves it beyond reach of most SMBs. 
Take my small firm, for example, which 
has 35 employees and about 28 different 
smartphones plugging into our Exchange 
infrastructure. Can you suggest an afford¬ 
able solution that will allow me to enforce 
basic encryption, device lock, and remote 
wipe? Is Exchange ActiveSync my only 
option as an SMB IT pro? 

—Dotan Akiva 

The mobile device management products 
I've looked at do seem to be aimed more at 
mid-to-enterprise companies. To be honest, 

I don't usually ask vendors about cost when 
I speak with them because cost can be slip¬ 
pery. How much a company actually pays 
might come down to what kind of deal they 
can negotiate, and some vendors have a 
different scale depending on the size of com¬ 
pany making the purchase. However, your 
question has made me see how important 
it is to think about the cost since that's such 
a key factor in which companies can truly 
benefit from a solution. 

Unfortunately, I haven't seen any 
mobile device management products 
that really seem to focus on smaller busi¬ 
nesses. You're right, however, that you can 
use Exchange ActiveSync (EAS) to get the 
level of control you're asking about—the 
implementation, of course, won't be quite as 
simple as with something like the Zenprise 
product. If you haven't seen this already, 
there's a great post on the Exchange team 
blog at http://msexchangeteam.com/ 
archive/2010/07/15/45548 l.aspx about EAS 
and how different devices support its various 
policies; note particularly the link to the wiki, 
which gives you a nice table of the different 
smartphone OSs and the EAS policies you 
can control on each of them. ^ 

—Brian Keith Winstead 

InstantDoc ID 129252 
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NEED TO KNOW 


Thurrott 

"I think we can expect a limited beta 
of Windows 8 by mid-2011 at the latest 
and a public beta by September 2011." 



What You Need to Know About Windows 8, IE 9 
Anti-Tracking, Small Business Server, and Microsoft 
Office Security 


L ooking ahead in 2011,1 like what I see so far: The industry 
is moving inexorably to a cloud computing future that I 
think makes plenty of sense for Microsoft and its custom¬ 
ers; users are craving a new generation of highly mobile 
and pervasively connected devices; and, best of all, we 
have another Windows beta on the way. Ah, bliss. 

Windows 8 Beta on Horizon 

To understand the current schedule for Windows 8, all you need 
are some elementary math skills. Microsoft has told me that it now 
plans to ship new versions of Windows every three years, forego¬ 
ing the previous major-minor release cadence; now, all Windows 
releases are new versions of Windows, with no major or minor ver¬ 
sion designation. Windows 7 shipped in October 2009, of course, 
a bit late for the holiday season and quite late for back-to-school 
sales, so adjusting for that issue, we can assume that Windows 8 
is on the docket for mid-to-late 2012. And this is indeed what my 
sources have told me is the expected release date. 

Backtracking from that date, we can look at how Microsoft 
released pre-release code for Windows 7 to predict releases of 
Windows 8. With Windows 7, Microsoft shipped the first and only 
beta release of the system to a limited technical audience in Octo¬ 
ber 2008, a year before RTM; it then released a broader public beta 
three months later. I think we can expect a limited beta of Windows 
8 by mid-2011 at the latest and a public beta by September 2011. 

What this means is that our first hands-on experience with 
Windows 8 is just months away. There's even a chance that Micro¬ 
soft might show off a very early preview of the OS at the Consumer 
Electronics Show (CES). If so, you can expect a Windows 8 update 
a month after. I'm curious to see what Microsoft comes up with. 

Hand-Wringing Over the iPad 

When I wrote this column, we didn't yet have the final tally on 
Apple iPad sales for 2010, but my estimate is that Apple will sell 
around 12 to 15 million units for the year—and, had the device 
been available for the full year, would have sold about 15 to 18 mil¬ 
lion units. (The iPad became broadly available in April 2010.) 

That number, wherever it falls, is nowhere close to the 350+ mil¬ 
lion PCs that hardware makers will deliver in the same time frame. 
But it's still important for two reasons. First, Apple has indeed cre¬ 
ated a new product category, one that Microsoft, Google, RIM, and 


many others are eager for a share of. And second, if you combine 
Apple's iPad sales with its Mac sales, Apple, suddenly, becomes 
one of the biggest PC makers in the world. 

For Microsoft, this cannot stand, and although the software 
giant and its hardware partners squandered most of 2010 by not 
releasing anything that even closely resembles an iPad competitor, 
2011 should be quite different. There are those who believe—and I 
include myself among them—that the real solution to this problem 
isn't a Windows PC, per se, but rather a device-like tablet based 
on Windows Phone OS or even the Windows Embedded 7 OS. 
But Microsoft seems to be heading toward Windows 7 combined 
perhaps with a simpler front end and some new, battery-efficient 
Intel hardware. Whatever happens, it should be interesting. 

Internet Explorer 9 Anti-Tracking Technologies 

Internet Explorer (IE) 9 has been in beta for a long, long time. 
Microsoft showed off the first pre-release version of the browser 
in October 2010, released the first platform preview in March 
2010, and then the first (and only) beta in September 2010. For the 
release candidate (RC) version of IE 9, due in early 2011, Microsoft 
is adding a feature to the product called Tracking Protection that 
answers a US Federal Trade Commission (FTC) proposal called 
"Do Not Track." 

The idea is that web browser users need some way to prevent 
sites—malicious or otherwise—from tracking their movements 
online. It would resemble the "Do Not Call" database, but be 
implemented in a completely different way. 

IE 9's Do Not Track functionality will be opt-in technology that 
requires users to find, download, and install tracking lists that block 
certain websites from following users online. Microsoft expects 
third parties to construct the tracking lists, which is perhaps a weak 
link in the plan. That said, this facility will be controllable via policy 
and could become an interesting new layer of defense. 

I suspect that competing browser makers will provide their 
own implementations of Do Not Track, and it's likely that those 
companies without ties to online advertising—like Mozilla, maker 
of Firefox—will be more aggressive about protecting their users 
from site tracking. 

The final version of IE 9 is due in 2011. I have my money on 
April, since that's when the company's annual web developer 
show, MIX, occurs. 
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■ NEED TO KNOW 


Debating Windows Home Server's 
Future... 

In my article last month "Microsoft Brings 
SBS into the Cloud," InstantDoc ID 129147, 
I touched on Microsoft's decision to remove 
a critical data storage technology called 
Drive Extender from its upcoming products, 
Windows Home Server "Vail," Windows 
Small Business Server 2011 Essentials, and 
Windows Storage Server 2011 Essentials. 
Drive Extender debuted in the original ver¬ 
sion of WHS and provides two key pieces 
of functionality. First, it lets users easily 
ensure that all data stored on the server 
is duplicated across two physical disks, 
helping to prevent data loss in the event 
of a hardware failure. Second, it removes 
the need for drive letters and exposes any 
attached hard drives (internal or external) 
as part of a single pool of storage. 

The cancellation of Drive Extender is 
felt most keenly in the WHS community. 
Users complained bitterly and started an 
online petition to see whether the soft¬ 
ware giant would relent and bring back 
what was a key part of a stunning software 
solution. 

That's not going to happen. I've spoken 
with Microsoft several times about this 
feature removal, and although I reacted 
much like any other WHS enthusiast when 
I heard about this plan, I do understand 
the larger strategic needs around applica¬ 
tion compatibility. The problem is that, for 
WHS at least, there's no obvious software 
solution that can step in and fill the needs 
that were met by Drive Extender. RAID 
is too complex and too limiting for home 
solutions, and while products like the 
Drobo devices somewhat resemble Drive 
Extender as well, they're proprietary and 
also somewhat expensive. 

Microsoft says it will address user con¬ 
cerns in an early 2011 beta refresh of WHS 
"Vail," though it said that Drive Extender 
is not coming back. I'm curious what 
Microsoft will come up with, and whether 
I can recommend a Drive Extender-less 
WHS. Previously, I thought WHS was a no- 
brainer. Now I'm not so sure. 

The final version of WHS "Vail" should 
ship sometime in the second quarter of 
2011. Some believe Microsoft may simply 
cancel the product. 

Honestly, I can see that happening as 
well. Stay tuned. 
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... And How This Affects Small 
Business Server 

On the Small Business Server side of the 
fence, the Drive Extender removal is less of 
a problem because Microsoft's hardware 
partners, which sell SBS products with 
low-end server hardware already, have 
their own solutions for data redundancy 
and file protection. But I'm curious to see 
whether these concerns are really met, 
or whether users will be expected to roll 
their own solutions as required or rely on 
external backups. 

I'm guessing this functionality will be 
ignored. And that's a shame, because the 
very small businesses that will be drawn to 
SBS Essentials are exactly the types of com¬ 
panies that don't establish a backup plan. 

Microsoft Security Essentials 2 and 
the Future of Windows Security 

I've spent much of the past decade com¬ 
plaining that Microsoft needs to integrate 
full security controls into client versions of 
Windows, but although the company has 
made strides in that direction, the most 
recent Windows versions—Windows 7 and 
Vista—have basically included everything 
a user could need except for antivirus and 
anti-malware. A fewyears back, Microsoft's 
security solution for consumers was a low- 
cost subscription product called Windows 
Live OneCare. But in 2009, that morphed 
into an excellent, free download called 
Microsoft Security Essentials. This product 
was updated recently, and in late 2010, 
Microsoft opened the licensing to include 
very small businesses (i.e., those with 10 or 
fewer desktops) as well. 

Come on, Microsoft. You're so close. 

One concern is that Microsoft currently 
sells an MSE-based product to businesses, 
called Microsoft Forefront. This isn't so 
much a product as it is a suite, and much 
of the functionality of the paid version is in 
centralized management and specialized 
protection capabilities for various Micro¬ 
soft servers as well. 

I suspect that the bigger concern here 
is antitrust related, and certainly McAfee, 
Symantec, and other security firms would 
waste no time complaining to regulators in 
the US and Europe should Microsoft ever 
finally wake up to this need and just bundle 
the darn thing in Windows. But it seems 
that this protection is needed because of 
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the flaws in Microsoft's software, and that 
Microsoft's customers could argue that 
the software giant should be required to 
protect them from those threats. 

That's why I'm calling on Microsoft, 
again, to put its customers first and protect 
them as a perk for using Windows. Micro¬ 
soft Security Essentials is excellent soft¬ 
ware, and it should be part of Windows. 

Office 2010 Security Technologies 
Coming to Office 2003,2007 

Microsoft Office 2010 includes many 
enhancements over its predecessors; 
some are obvious, and some are hidden 
and rarely noticed by end users. One of 
these features, called Office File Validation, 
helps protect against electronic attacks hid¬ 
den inside legacy (i.e., non-XML-based) 
Word, Excel, Publisher, and PowerPoint 
documents. 

You might recall that Microsoft switched 
from the legacy document formats when it 
released Office 2007. The new Office file 
formats offer improvements over the legacy 
binary formats, including better reliability, 
data portability, and security. Office 2007 
and Office 2010 (and Office 2003 with 
the add-on) are automatically protected 
against threats that target newer Office 
document types. 

In Office 2010, Microsoft extended 
protection to the legacy file formats as 
well. "If [Office File Validation] detects an 
issue, it opens the file in Protected View," 
Microsoft Senior Response Communica¬ 
tions Manager Carlene Chmaj said. "This 
helps prevent unknown binary file-format 
attacks for Word, Excel, Publisher, and 
PowerPoint." 

Office File Validation is great for the 
minority of users on the latest Office ver¬ 
sion. But it won't help the majority still 
using Office 2003 and Office 2007. So in 
early 2011, Microsoft will release an add¬ 
on with Office File Validation functionality 
for older versions. This is an update you're 
going to want to evaluate, especially if you 
have no plans to upgrade to Office 2010.^ 
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WINDOWS POWER TOOLS 


Minasi 

"I'm not going to show you any new 
commands this time—just a new way 
to fit them all together into one big 
Windows power tool." 



Creating a Bootable VHD 

A roundup of technologies and tools from past columns provides 
a strong basis for this task 


T he latest Windows version supports the notion of boot¬ 
ing from one big file—called a VHD file—that stores 
an entire C drive. It's an interesting technology, but to 
try it, you need a VHD file that contains an OS and is 
bootable. In the past year, I've examined some of the 
technologies and tools that make boot-from-VHD pos¬ 
sible, and in this column, Ill bring some of them together so that 
you can assemble a bootable VHD file. 

Microsoft offers two paths to get a system into VHD-able state. 
I covered the first—Disk2VHD—a few months back. The second 
approach involves several steps and tools but might be the pre¬ 
ferred (or sometimes the only ) way to get from “working prototypic 
computer” to “bootable VHD.” 

You first need to set up a prototypic PC that meets your orga¬ 
nization's needs, is outfitted with applications, has an appropriate 
default user profile, and so on. Then, run 

sysprep /generalize /oobe /shutdown 

on that prototype system, as I discussed several months ago. 

At this point, you have a system that's ready to be duplicated 
and rolled out to other systems—once you've used an imaging tool 
to capture the contents of its C drive. However, unlike the one-step 
deployment procedures you've used in the past, this task involves 
five steps: Boot the prototype system from Windows Preinstallation 
Environment (WinPE), use ImageXto capture the system to a .wim 
file, use Dislcpart to create a VHD large enough to hold Windows 7, 
attach the VHD as a drive letter, and use ImageX to apply the new 
.wim to the newly attached VHD. 

Thus, your next task is to boot your Sysprep-prepared proto¬ 
typic system with WinPE (via USB stick, CD, or whatever) so that 
your system is ready to run ImageX. You're going to image the C 
drive (which is probably fairly large), so you'll need somewhere 
to store the .wim file that ImageX will create. Anything will do, as 
long as it presents itself as a drive letter. Also, sometimes WinPE 
re-letters the drives, so you might have to poke around to figure out 
which drive letter is the actual C drive on the Sysprepped system. 
Let's assume in this case that the C drive is indeed the C drive and 
that you've hooked your system up to an external drive as drive S. 
The ImageX command to capture this system would look like 

imageX /capture c: s:\baseimage.wim "Prototype desktop 
image" /verify 


That command converts the C drive into a .wim file, checking with 
the /verify option that C's data got copied without any errors. 

Next, you'll need a VHD to apply the .wim to. You'll use Disk- 
part to create, select, and attach a VHD on S, and then to partition 
and format it. In this example, I'll arbitrarily set its size to 100GB: 

diskpart 

create vdisk file=s:\vhds\deployimage.vhd maximum=100000 
type=expandable 

select vdisk file=s:\vhds\deployimage.vhd 
attach vdisk 

create partition primary 
active 

format fs=ntfs quick label="Standard image" 

assign letter=t 

exit 

I discussed the Create Partition, Active, Format, and Assign Letter 
commands last year, and I showed you the Create Vdisk, Select Vdisk, 
and Attach Vdisk commands a few months ago. This command gives 
the VHD a drive letter of T so that you can run ImageX and tell it to 
apply the .wim file that it just created to drive T, like so: 

imagex /apply s:\baseimage.wim 1 t:\ /verify 

Recall that ImageX needs the 1 to clarify which of the images 
in baseimage.wim to use. Yes, there's only one image there, but 
ImageX needs things kept very, very clear. Again, the /verify option 
tells ImageX to take some extra time and ensure that the data cop¬ 
ied without error. Finally, you tell the system what you're doing 
with drive T and to let you disconnect it: 

diskpart 
detach vdisk 
exit 

And with that, you've got your first bootable VHD. But how do you 
use it? Stay tuned! ^ 
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Otey 

"Businesses wanted to deploy their own VMs 
to Azure. In response, Microsoft released the 
new Windows Azure Virtual Machine role." 



Windows Azure Enhancements 

Better management and improved capabilities coming to Microsoft's cloud 


t the Professional Developers Conference (PDC) 2010 
in Redmond, Steve Ballmer boldly declared that Micro¬ 
soft was "all in" for cloud computing. I still have my 
doubts about whether the cloud is the right move for 
every business. However, there's no doubt Microsoft is 
aggressively pursuing its Windows Azure offering. At 
PDC, Microsoft released a slew of customer-driven announcements 
around Windows Azure. Here are the most important ones. 

Windows Azure Marketplace —Windows Azure Market- 
) place is designed to be an online store where you can buy 
prebuilt Windows Azure cloud services and applications; it's 
also a place where developers can offer their Windows Azure appli¬ 
cations for sale. Learn more about the marketplace on Microsoft's 
website at www.microsoft.com/windowsazure/marketplace. 

O Support for Remote Desktop —Remote Desktop has long 
been the IT administrator's primary tool for remote server 
management within the organization. At PDC, Microsoft 
announced that it would let Remote Desktop connect to running 
Windows Azure instances. 

O Team Foundation Server support —Currently, the primary 
allure for Windows Azure is for ISV's who develop cloud- 
based applications and services. In keeping with that base, 
Microsoft has enabled Team Foundation Server to run on Windows 
Azure, providing cloud-based application life-cycle management 
for the organization. 

O Windows Azure AppFabric Caching and Service Bus— 

Windows Azure AppFabric provides the foundation to build 
.NET applications on Windows Azure. Service Bus enables 
Azure applications to connect with on-premises applications—pass¬ 
ing through firewalls and Network Address Translation (NAT) connec¬ 
tions. AppFabric Caching enables better application performance by 
providing a distributed in-memory application cache. These features 
are planned to be generally available in the first half of 2011. 

O Elevated privileges —Another Windows Azure manage¬ 
ment problem that Microsoft addressed was the need for 
administrators to have elevated privileges. Elevated privi¬ 
leges will let administrators configure Microsoft IIS Web and 
Worker roles and will enable administrators to install services such 
as the Microsoft Software Installer. 


O Support for multiple administrators —Microsoft is also 
improving the Windows Azure administrative experience. 
Previously, a Windows Azure instance could be managed 
only from a single Windows Live account. Support for multiple 
admins from multiple Windows Live accounts will help enable 
team management. 

O Full IIS support —Another important Windows Azure 
improvement is full IIS support. Currently, Windows Azure 
uses a limited version of IIS. The improved IIS support is 
provided via a new Web role that enables multiple IIS sites per Web 
role as well as the ability to install IIS modules. 

O Windows Azure Extra Small Instance —Previously, 
developing with Windows Azure has been an expensive 
proposition—especially for smaller developers. At PDC, 
Microsoft announced a new Extra Small Instance. Priced at $0.05 
per computing hour, the Extra Small Instance is designed as a 
more cost-effective development and training environment. 

O Windows Azure Virtual Network —The Windows Azure 
Virtual Network enables the creation of hybrid on-prem- 
ises and cloud environments. The first of its features 
available is Windows Azure Connect, which lets IT administra¬ 
tors set up IP-based network connectivity between on-premises 
Windows servers and Windows Azure resources. A CTP is avail¬ 
able from the Windows Azure Management portal (windows 
.azure.com). 

O Virtual Machine role —Although Windows Azure is built 
using virtualization, Microsoft has been reluctant to give 
customers direct access to virtual machines (VMs). Micro¬ 
soft's story has been that with the cloud you can leapfrog the need 
for virtualization. However, businesses didn't accept that limitation 
because they wanted to deploy their own VMs to Azure. In 
response, Microsoft released the new Windows Azure Virtual 
Machine role, which lets you move existing Windows Server 2008 
R2 applications to Windows Azure. The new VM role will support 
Windows Server 2003 and Server 2008 R2. ^ 
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ENTERPRISE IDENTITY 


Deuby 

"Fortunately, there's a way to securely 
extend your existing corporate 
identity infrastructure to manage 
access to cloud services." 



Federation Paves the Way Toward True Enterprise 
Cloud Identity 

Be proactive and prepare your AD environment for the future 


W hat aspect of cloud computing do identity 
professionals care most about? The answer is 
cloud identity. What is cloud identity? What are 
the limitations of existing identity and access 
models that you're already familiar with? What 
are the different methods of managing cloud 
identity? Once you have a knowledge framework in place, it's 
much easier to make sense of the various moving parts that make 
up cloud identity and thus understand it as a whole. Perhaps a 
good place start this discussion is with my definition of enterprise 
cloud identity: 

Enterprise cloud identity is the practice of securely extending 
the core corporate identity infrastructure 
outside an organization's perimeter to 
manage access to distributed services, 
applications, and infrastructure. 

Creating a general definition of a 
complex topic often requires some sim¬ 
plification; this definition is a bit simpli¬ 
fied in that it ignores private and hybrid 
cloud models. The public cloud, how¬ 
ever, presents both the most significant 
growth and the toughest security chal¬ 
lenge, so this definition fits most cloud 
scenarios. 

The first half of the definition—“securely extending the exist¬ 
ing corporate-identity infrastructure outside an organization's 
perimeter"—is something that's hard for the traditional enterprise 
identity and access model (IAM) to do. Here's why. 

In the enterprise realm, your digital identity is dictated by the 
corporation for which you work. Your identity is kept in one or 
more identity stores, such as Active Directory (AD) or a Human 
Resources database. Authentication is the process of confirming 
a user's identity; the Kerberos protocol handles the authentica¬ 
tion process as a part of AD services. Overall, identity is tightly 
controlled to stay within the corporate perimeter. As a result, 
collaborating with other companies usually involves separate 
accounts at the other company, or perhaps a limited trust rela¬ 
tionship between the companies if long-term collaboration is 
planned. 


Cloud computing complicates this traditional, password-based 
model because cloud services aren't on your protected corporate 
network—they're on the wide open internet. These services natu¬ 
rally require some kind of identity to use them. The simplest (and 
default) approach is to create a separate set of accounts on the appli¬ 
cation's website for users who need to access that application. 

This approach creates problems. Is the session between user 
and service encrypted so that the password isn't exposed in 
transmission? Do you trust the security measures of the (pos¬ 
sibly quite small) service provider? Who manages the creation of 
these accounts when users need to access the application? Who 
changes their access rights as their role changes? Who manages 
the separate set of passwords? (The 
user does.) Can you prevent users from 
re-using their corporate password and 
thus potentially exposing it? (No.) What 
is the mechanism for users to recover 
their password when they've inevitably 
forgotten it? Can this account-recovery 
mechanism be gamed (e.g., by guess¬ 
ing the answer to common security 
questions)? Who terminates access to 
the account immediately if the user has 
been terminated? You might be able to 
manage such concerns for a few cloud service providers, but when 
you scale it for the predicted growth in cloud services, you can see 
how this brute-force approach won't keep up. 

Another tactic is to use the vendor's own connector to syn¬ 
chronize your identity data with the solution. Doing so is gener¬ 
ally an improvement over maintaining separate accounts, but it's 
still a less-than-perfect solution. For example, Microsoft's Online 
Services Directory Synchronization for Office 365 assigns a new 
password to the synchronized account that must be maintained 
manually. This automates account creation but leaves the problem 
of manual password management. Also, though these connectors 
may scale up nicely for the vendor's own customers, they don't 
scale out. They work only for that vendor. 

The ideal approach is to reuse the identity you already have 
in your enterprise, thus eliminating the duplicate-account 
management issues. Doing this with the password-based 


Cloud computing com¬ 
plicates the traditional, 
password-based model 
because cloud services 
aren't on your protected 
corporate network. 
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■ ENTERPRISE IDENTITY 


(aka shared-secret) model, however, still 
requires sending password data over the 
Internet to the service. Sending password 
data across the internet is a bad idea. It's 
certainly not a sane practice to land one 
of your company's domain controllers 
(DCs) at every service provider and open 
ports on your firewall to allow replication 
between it and your other DCs! Passwords 
don't have any limitations in scope. If 
someone is given a password, or cracks it, 
they can gain access to a system (assum¬ 
ing he or she has network or physical 
access to it) and its information until that 
password is changed or the account is 
deactivated. If you drop your car keys on 
the sidewalk, anyone who picks them up 
and finds your car can drive away with it 
until you have the locks changed. Pamela 
Dingle of Ping Identity likes to say, "Trying 
to push passwords into the cloud is like 
putting the bank vault door on the outside 
of the bank." The sidewalk is the Internet; 
anyone strolling by can take a crack at that 
vault. So, securely extending your existing 
corporate identity infrastructure outside 
your organization's perimeter, without 
entering another password once you've 
logged on to your corporate network (aka 
Internet Single Sign-On—SSO) requires 
another method—as you'll see shortly. 

The second half of my definition of 
enterprise cloud identity is "to manage 
access to distributed services, applica¬ 
tions, and infrastructure." This is autho¬ 
rization, the process of controlling the 
authenticated user's access to network 
resources (e.g., file server, internal corpo¬ 
rate web page). You need authorization 
to manage access outside your perim¬ 
eter, just as you do inside your perimeter. 
Inside, AD takes care of this by managing 
group membership in a user's security 
token. And though it's not strictly identity 
management, a third function is audit¬ 
ing: The feedback loop that ensures your 
identity and access-management configu¬ 
ration is what you expect it to be. Account 
management in general—and authori¬ 
zation and auditing in particular—are 
available in cloud identity, but they vary 
significantly in their maturity compared 
with federation, and in their adoption 
from provider to provider. 

Fortunately, there's a way to securely 
extend your existing corporate identity 

14 FEBRUARY 2011 Windows IT Pro 


infrastructure to manage access to cloud 
services. Federation—or federated iden¬ 
tity—is a collection of standards and 
technologies that enables authentication 
and authorization data to securely pass 
between an identity provider (e.g., AD) 
and service providers (e.g., Microsoft's 
Exchange Online mail hosting service, 
Zoho's online business applications) with¬ 
out exposing password data. Service pro¬ 
viders are also known as relying parties 
because they rely on the identity data that 
the identity provider gives them. 

How does federation manage this trick? 
Federation uses security tokens in much 
the same way that Kerberos uses tickets. 
Unlike a password—which is usable no 
matter who has it, when they got it, and 

Fortunately, there's 
a way to securely 
extend your exist¬ 
ing corporate iden¬ 
tity infrastructure 
to manage access 
to cloud services: 
federation. 

when they use it—AD's Kerberos ticket and 
federation's security (e.g., SAML) token are 
tightly restricted on when they're valid. If a 
bad guy grabs them, they're not usable out 
of the context they were generated for. 

A good parallel for the Windows 
administrator is the difference between 
Windows NT's NTLM authentication and 
AD's Kerberos authentication. NTLM uses 
a shared-secret authentication method, 
sending a hash of the user's password 
over the network, whereas Kerberos uses 
a digitally signed and encrypted ticket 
with specific conditions attached to its 
use. Similarly, separate accounts for a ser¬ 
vice provider require entering passwords 
over a (presumably) encrypted connec¬ 
tion, whereas federation uses a digitally 
signed and encrypted token with specific 
conditions attached to its use. Neither a 
Kerberos ticket nor a SAML token contains 
password data. 


Note that federation doesn't eliminate 
passwords; you still have to log on to your 
corporate network with a password. It 
does, however, keep that password local 
to your protected corporate environment 
instead of transmitting it over the Internet. 
Once you've set up your first few federated 
trusts, it's a straightforward matter to set 
up new ones as your business require¬ 
ments change. And federation isn't only 
used over the Internet; it can also be used 
to enable authorization and authentication 
for web services inside your company. 

There are a number of federation solu¬ 
tions available today. Oracle's Identity 
Federation, Microsoft's Active Directory 
Federation Services (AD FS), and Ping 
Identity's PingFederate are all ways you 
can set up federated trusts with varying 
degrees of complexity. In upcoming Win¬ 
dows IT Pro columns and articles, watch 
for deeper dives into federation and how 
it works. For more information, check out 
Jan De Clercq's "How AD FS 'Does' Identity 
Federation" (InstantDoc ID 95469). 

Remember, not only do you need to 
securely extend your identity infrastruc¬ 
ture, you also need to be proactive about it. 
Whether your IT department is ready for it 
or not, your users will use cloud services; 
they're just too easy to set up. If you haven't 
set up a way for them to easily re-use their 
existing identities on their cloud service 
provider, they're going to set up duplicate 
accounts to get their work done. And when 
one of these users leaves the company or 
gets terminated, the odds are very good 
that their account will remain active and 
open to do with as they see fit. You need 
to design and implement a cloud-identity 
strategy for your company's security. 

Enterprise cloud identity is about tak¬ 
ing the identity infrastructure you've built 
up so carefully over the years and securely 
extending it for the next phase of comput¬ 
ing. Federation is the key enabler for busi¬ 
nesses to accomplish this. How deeply you 
need to understand it depends on whether 
your role is AD administrator, web services 
developer, or end user. But everyone will be 
using it in the future. ^ 

InstantDoc ID 129204 
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READER TO READER ■ 


■ SATA AHCI 


READER TO READER 


Switching the BIOS SATA's 
Mode from IDE to AHCI 

I've seen much discussion on the web 
about how to switch the BIOS 
Serial ATA (SATA) boot drive 
from IDE mode to Advanced 
Host Controller Interface (AHCI) 
mode in existing Windows 
installations. AHCI exposes 
SATA's advanced features, includ¬ 
ing reduced CPU overhead and hot- 
plug and power-management capabilities. 
If you're running Windows 7 or Windows 
Vista, there's a registry tweak to switch to 
AHCI mode (see support.microsoft.com/ 
kb/922976). If you're running Windows XP, 
you're not out of luck. If your motherboard 
has an IDE port, switching is relatively 
simple. Here's how to do it: 

1. Download the "F6" driver files for 
your SATA controller chipset. You can down¬ 
load the driver files from your motherboard 
manufacturer's website or use the files 
found in the motherboard's installation 
CD-ROM. Alternatively, for well-known 
manufacturers, you might be able to find 
the F6 driver files for your chipset by search¬ 
ing the web (e.g., search for"F6 ICH9R"). Put 
the driver files into a new directory (e.g., 
C:\ICH9R) on the existing SATA boot drive, 
which I'll refer to as SATA-01. 

2. Use an imaging program to make 
a full disk backup image of SATA-01, and 
save the image to a different spindle (e.g., 
F:\SATA-01 \SATA-01 .tib, F:\SATA-01 \SATA- 
01 .gho) or removable drive. Use the imag¬ 
ing program's verification function to verify 
the integrity of the SATA-01 backup image. 

3. Make another full disk backup 
image of the SATA-01 boot drive, saving 
it to a different spindle (e.g., G:\ SATA-01 \ 
SATA-01 .tib, G:\ SATA-01\SATA-01 .gho) or 



Bret A. Bennett 


removable drive. Once again, verify the 
integrity of the backup image. This second 
backup image isn't needed for the 
switch, but it provides extra protec¬ 
tion in case of operator error. If an 
error occurs, you shouldn't use 
the second backup image for the 
restore operation. Instead, make 
a copy of it and use the copy for 
the restore operation. 

4. Shut down and 
physically disconnect 
the data and power connections to the 
SATA-01 boot drive. Be sure to label the 
boot drive. I recommend removing the 
boot drive and setting it aside for safety. 

5. Connect an IDE drive of suitable 
byte size to an available IDE cable. If your 
motherboard has only one IDE port, set 
the IDE drive to Master with Slave Present 
and the CD-ROM/DVD drive to Slave (or set 
both to Cable Select). If your motherboard 
has two IDE ports, put the IDE drive on 
one cable by itself and set its jumpers to 
Single (or Master with Slave Present if you 
have two IDE drives). Put the CD-ROM/DVD 
drive(s) on the other cable and configure 
the jumpers appropriately (i.e., one Master 
and the other Slave, or just use Cable 
Select for both). Note that having a second 
IDE drive present when switching to AHCI 
mode introduces opportunities for error. 

6. Connect a different preformatted 
SATA drive to the same data and power 
connectors that were previously connected 
to SATA-01. I'll refer to this drive as SATA-02. 
You aren't required to use a second SATA 
drive when you make the actual switch— 
you can use SATA-01. However, I recom¬ 
mend that you use a different SATA drive 
(i.e., SATA-02) for safety's sake. If you decide 
to use the original SATA-01 boot drive, 
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make sure that you're comfortable with 
your backup image and imaging program's 
restoration process. 

7. Boot up using your imaging pro¬ 
gram's boot CD-ROM. You might need to 
change the boot order in the BIOS so that 
it boots from the CD-ROM drive first. 

8. Restore the F:\ SATA-01 backup 
image (including all partitions and the 
MBR) to the IDE drive. 

9. Reboot and change the BIOS 
SATA from IDE mode to AHCI mode. Also, 
change the BIOS boot order so that it 
boots the OS from the IDE drive. 

10. Boot into the OS (which is now 
on the IDE drive). Windows should see 
the attached empty preformatted SATA- 
02 drive and either install the Windows 
default AHCI drivers automatically or 
prompt you for the location where you 
saved the manufacturer's F6 driver (e.g., C:\ 
ICH9R). SATA-02 should now show up in 
Windows Explorer as a drive (e.g., E:). 

11. Shut down Windows and use your 
imaging program's boot CD-ROM to clone 
the IDE drive to the SATA-02 drive. 

12. Shut down, disconnect, and 
remove the IDE drive. 

13. Set the BIOS to boot the OS from 
the SATA-02 drive, which will now become 
the boot drive. 

14. Boot into the OS. The AHCI driver 
will be automatically used for SATA-02. 

You can continue to use the SATA-02 
boot drive, and the switch is complete. If 
you prefer to use your original SATA-01 
boot drive for production, you can: 

1. Make a final backup image of the 
SATA-02 boot drive to an available spindle 
or removable drive. 

2. Shut down and replace the SATA-02 
drive with the SATA-01 drive. 

3. Use your imaging program's boot 
CD-ROM to restore the final SATA-02 
backup image to the SATA-01 drive. ^ 

—Bret A. Bennett, IT Consultant 
InstantDoc ID 129268 
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■ ASK THE EXPERTS 


■ DFSR 

■ BranchCache 


■ Terminal Services 

■ MED-V 



ANSWERS TO YOUR QUESTIONS 



Q: Is it possible to delegate DFS 
Replication management to non¬ 
administrators? 

At You can delegate the ability to manage 
DFS Replication (DFSR) through the DFS 
Management snap-in. Right-click the Rep¬ 
lication node of the DFS Management and 
select Delegate Management Permissions; 
then, users can be added, giving them the 
right to create DFSR replicas. 

If you want a user to be able to man¬ 
age a particular replica group, select 
Delegate Management Permissions 
from the context menu of the particular 
replica group. 

Note that in addition to rights for DFSR, 
if the user is adding servers into a replica 
group, the user must be a local admin 
on the new box if it's a member server or 
must be a Domain Admin if the new box is 
a domain controller (DC). 

—John Savill 

InstantDoc ID 129085 

Q: Can I trigger automatic 
certificate enrollment (certificate 
auto-enrollment) on a Windows 
client? 

A: Yes, you can easily trigger automatic 
certificate enrollment with the command 


certutil -pulse 

Make sure you do this from an 
administrator-level command prompt 
window. 

—Jan De Clercq 

InstantDoc ID 129240 

Q: What's VMware Data Recovery 
(VDR)? 

At VDR is an image-level backup solu- 
tion that's available in the Essentials Plus 
bundle and vSphere Advanced editions 
of vSphere 4.1. VDR is intended to be the 
replacement for the now-deprecated 
VMware Consolidated Backup tool that 
was available in previous versions. 

VDR creates full and incremental 
backups ofVM images (theirVMDKfiles) 
as well as file-level backups for Windows 
virtual machines (VMs). It integrates 
with the onboard Volume Shadow Copy 
Service (VSS) that's natively available in 
Windows to properly quiesce VMs and 
their installed applications, letting you 
be sure that you're getting consistent 
backups. VMs are backed up to disk- 
based storage using either local storage 
in a vSphere datastore or CIFS-based 
networked storage. Off-site storage isn't 
supported. 

VDR includes data deduplication 
to reduce overall storage consump¬ 
tion across backed-up VMs, but it isn't 
equipped with application-specific 
restore tools, such as those needed to 
restore individual Exchange messages 
or SQL Server items. This limitation 
means that restoring application objects 


Sr 
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Q: Is there a central repository 
of all Microsoft EULAs? 

A! If you're one of those people who 
just accepts the EULA without read¬ 
ing it, Microsoft has all its EULAs on 
its site for future reference. Select the 
product, version, and language, and 
the EULA will be available as a PDF. 
You can also just run the Winver com¬ 
mand in Windows—it has a link to the 
EULA for the product you've installed. 

—John Savill 
InstantDoc ID 129323 


will require a restore of the entire VM 
first. 

VDR arrives as a virtual appliance that 
can be installed using an OVF template 
file. You use the Deploy OVF Template 
option inside the vSphere client to begin 
its deployment. 

—Greg Shields 

InstantDoc ID 129304 

Q: A DC has been restored back to 
a state over 30 days old and now 
won't talk to the rest of the DCs. 
What can I do? 

At Scrap the DC, recreate it, and promote 
to a DC again. You'll hear people telling 
you to run 

netdom /resetpwd 

which will just reset the password of the DC 
for the rest of the domain. But you run the 
risk of deleted objects being re-introduced 
if the DC has been restored to a state older 
than tombstone lifetime. 

Taking snapshots of DCs in produc¬ 
tion is not supported or recommended. 

Just take normal backups and consider 
DCs expendable. Just run Active Directory 
Domain Services on your DC; if a DC has 
some problem, just wipe it and stand up 
another DC in its place. 

—John Savill 

InstantDoc ID 129089 
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Silverlight 4 


HIGHLIGHTS OF CONNECTIONS 2010 SHOWS INCLUDE: 

FRED J. STUDER, General Manager, Information Worker Business 
Group Lead, US Business Marketing Operations, Microsoft, & 
SHAUN PIERCE, General Manager, Lync Server Division, Microsoft, 
celebrate the release of Microsoft Lync 

BOB MUGLIA, President, Server and Tools Business, Microsoft, 
launches Visual Studio 2010 


SCOTT GUTHRIE, Corporate Vice President, .NET Developer 
Platform, Microsoft, launch of Silverlight 4 



JOE BELIFORE, Corporate Vice President, 

Windows Phone Program Management, 

Microsoft, announces Windows Phone 7 
to the developer community. 

Many surprises happened including 
attendees of our Windows Phone 7 
pre-conference workshop at our 
November 2010 DevConnections show 
received a free Windows Phone 7. 

Collaboration between DevConnections and 
Microsoft continues, bringing great insight for developers like 
you into how to use the newest technologies. What will you and 
your team see at DevConnections in 2011? You'll need to sign up 
and be there to find out! 


Our unique format 
of Microsoft Day 
sessions and third- 
party sessions let 
DevConnections 
attendees get the 
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Microsoft 

technologies in the 
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• Keep your competitive edge by staying on top of the 
latest technology and visit sessions in the co-located 
events at no extra charge! 

• Connect with colleagues and build a valuable network 
of peers 


Workshops help you dive into key areas including: 
SharePoint collaboration, hands-on jumpstart on 
Exchange Server 2010 SP1, hands-on exploration of 
Microsoft Lync Server 2010, professional development 
in SharePoint 2010, SharePoint Business Connectivity 
Services (BCS), integrating SharePoint 2010 with 
Exchange 2010 and Lync 2010, and organizing 
information in SharePoint 2010 
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MICROSOFT DAY 

EXCHANGE SESSIONS 
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EMS01: HOW MICROSOFT IT 
IMPLEMENTED MICROSOFT EXCHANGE 
SERVER 2010 

EMS02: USING MICROSOFT EXCHANGE 
SERVER 2010 TO ACHIEVE RICH 
COEXISTENCE WITH EXCHANGE ONLINE 

EMS03: WHAT'S NEW IN ARCHIVING, 
RETENTION, AND DISCOVERY IN 
MICROSOFT EXCHANGE SERVER 2010 SP1 

EMS04: WHAT'S NEW IN OWA, MOBILITY 
AND CALENDARING IN MICROSOFT 
EXCHANGE SERVER 2010 SP1 

EMS05: MICROSOFT® LYNC™ SERVER 
2010: TRANSFORMING THE WAY PEOPLE 
COMMUNICATE 

EMS06: MICROSOFT® LYNC™ SERVER 
2010: WHAT'S NEW IN DEVICES 

EMS07: BUILDING COMMUNICATIONS 
ENABLED BUSINESS PROCESSES WITH 
MICROSOFT® LYNC™ SERVER 2010 

EMS08: MICROSOFT® LYNC™ SERVER 
2010 INTEROPERABILITY: VOICE, VIDEO, 
CONFERENCING, IM, AND PRESENCE 


EXC01: THE EXCHANGE SERVER STORE 

DEMYSTIFIED 

PETER O'DOWD 

So just how does the Exchange Store work? 
Understanding this is critical to improve your 
chances of recovery from a disaster. Find out how, 
with topics including: Log files and database signa¬ 
tures; correct use of eseutil; checkpoint depth; 
missing log files; how the extensible storage 
engine actually works, improvements with 
Exchange 2010. What is in the header of a database, 
why do I care? Peter has travelled the globe teach¬ 
ing both inside and outside of Microsoft on this 
topic. If you want to understand the store then this 
is your session. 

EXC02: TELEPHONY DEMYSTIFIED FOR 
EXCHANGE ADMINS (PART 1) 

PETER O'DOWD 

Need to understand telephony concepts quickly? 
Don't have days to spend researching things you 
probably won't need to know? Let Peter bring you 
up to speed in this first of his two killer sessions 
for demystifying telephony concepts. Learn just 
what you need about business phone systems and 
PBXs, circuit switching, trunk lines, dial plans, hunt 
groups to be able to plan and implement your 
Unified Messaging solution. This sessions is a must 


for any Exchange administrator who is about to 
dive into Unified Messaging with Exchange. 
Session is also relevant if you are considering 
Microsoft Lync! 

EXC03: TELEPHONY DEMYSTIFIED FOR 
EXCHANGE ADMINS (PART 2) 

PETER O'DOWD 

In this second of two killer sessions on demystify¬ 
ing telephony concepts you will start to apply your 
new understanding of telephony to how it works 
with Exchange Server 2010 UM. Avoid spending 
days researching things you probably won't need 
to know. Let Peter bring you up to speed with call 
flows between PBXs and Exchange UM servers. 
Learn about VOIP Gateways and when you need 
them, Outlook Voice Access call flows, the SIP pro¬ 
tocol and how it works, call answering rules and 
auto attendant. This second session is a must for 
any Exchange administrator who is about to dive 
into Unified Messaging with Exchange. 

EXC04: CLIENT ACCESS SERVER 2010- 
FINALLY SERVING ALL CLIENTS! 

KEVIN LAAHS 

The CAS role plays an even bigger role in your 
Exchange 2010 environments than it does in 
Exchange 2007. Whilst it still supports the likes of 
OWA, ActiveSync, and Exchange Web Services, 
there are some fundamental architectural changes 
that will change the way you architect your 
Exchange environments. In this session we take a 
look at the major new functions that the CAS sup¬ 
ports such as the Exchange Control Panel and 
"Mapi-On-The-Middle Tier" (for Outlook clients) as 
well as all the exciting end user features that are 
delivered by the likes of OWA and ActiveSync (even 
to Eirefox and Safari browsers). 

EXC05: EXCHANGE WEB SERVICES 
-FOR EVERYONE! 

KEVIN LAAHS 

PowerShell is often considered within the realm of 
IT Administrators, whereas Web Services is firmly 
in the developer camp-and usually, never the twain 
shall meet! But now the combination of PowerShell 
and Exchange Web Services can be harnessed by 
end users to build and run scripts to manage mail¬ 
box data from desktop machines. This session 
shows IT Administrators, developers and end users 
alike how friendly Web Services can be, and how 
you can easily leverage them to automate many 
operations in your Exchange environment. 

EXC06: EXCHANGE, SHAREPOINT 
AND OFFICE-BETTER TOGETHER? 

KEVIN LAAHS 

What integration points exist between SharePoint 
2010, Office 2010 and Exchange 2010? Does the 
combination of these three flagship products (and 


other such as OCS) bring any new opportunities for 
my overall environment? And what about the exist¬ 
ing integration points that were there in the 2007 
suite of products? Are they still available? In this 
session we'LL answer the numerous questions in 
this abstract! The session first looks at how 
Outlook 2010 lights up when connected to 
Exchange 2010 followed by a trip around many of 
the integration points between various products in 
the overall ecosystem (such as, searching 
SharePoint content from Windows, viewing user 
pictures from multiple locations and overlaying 
SharePoint and Exchange calendars). 

EXC07: THE RPC CLIENT ACCESS ARRAY: THE 
MISSING PIECE OF EXCHANGE AVAILABILITY 
DEVIN L. GANGER 

Exchange 2010's Database Availability Group func¬ 
tionality has received a lot of press and hype (and 
deservedly so) for enabling better, easier HA sce¬ 
narios. There's a missing piece, however: the RPC 
Client Access Array. This session, drawn from real- 
world examples, explains what the RPC Client 
Access Array object is (and what it isn't), when you 
need it, and how to deploy it. Devin will also exam¬ 
ine how deploying RPC Client Access Arrays affects 
the clients, load balancers, reverse proxies, and 
other parts of your Exchange organization. We rec¬ 
ommend you take this session in conjunction with 
the session: Load Balancing for Exchange 
Deployments. 

EXC08: LOAD BALANCING YOUR EXCHANGE 

DEPLOYMENT 

DEVIN L. GANGER 

When it comes to highly available Exchange 
deployments, a lot of attention is focused on the 
Mailbox role. As the CAS role in Exchange 2007 and 
Exchange 2010 takes over more of the client con¬ 
nections, load balancing incoming connections at 
the CAS and Hub Transport becomes more impor¬ 
tant to successful Exchange deployments. This ses¬ 
sion, drawn from real-world examples, examines 
the requirements, caveats, and best practices 
available for designing appropriate load balancing 
solutions for Exchange 2007 and 2010 deploy¬ 
ments. It compares Windows Network Load 
Balancing, software load balancers, and hardware 
load balancers. We recommend you take this ses¬ 
sion in conjunction with the session: The RPC Client 
Access Array: The Missing Piece of Exchange 
Availability. 

EXC09: WAN OPTIMIZATION FOR EXCHANGE 
DEVIN L. GANGER 

WAN optimizers provide on-the-fly bandwidth 
reduction for a variety of applications: mainly web¬ 
sites and file services. However, Exchange MAPI- 
RPC client sessions may also benefit from these 
devices. This session, drawn from real-world exam- 
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pies, explains how current WAN optimizer offerings 
work with MAPI, both client-to-server and server- 
to-server, and helps give you information to assess 
what kind of bandwidth savings you might see in 
your environment. How does SMB signing affect 
your optimization? Can optimization be extended 
to mobile clients? Can optimization help with the 
replication of multiple DAG copies into a secondary 
site? Devin will examine these topics and provide 
clear answers to help you determine if WAN opti¬ 
mization is right for you. 

EXCIO: EXCHANGE 2010 HIGH AVAILABILITY 
WITHOUT THE HIGH COST 
JIM MCBEE 

In older versions of Exchange, achieving high avail¬ 
ability required more servers, third-party products 
and/or additional storage technologies. Clustering 
in Exchange Server 2010 has evolved into database 
availability groups (DAGs). Unlike previous versions 
where availability and databases are tied to a spe¬ 
cific servers, with DAGs a database can be active 
on any server within the availability group and 
each database can be made active on any server 
within the group. This session will cover using 
Exchange Server 2010 in a small or medium sized 
business (under 1,000 users) where you want to 
achieve high availability. Topics include database 
availability groups, Client Access arrays, and pro¬ 
viding high availability for the message transport 
when using two server DAGs. 

EXC11: MIGRATING TO EXCHANGE 2010 
FROM EXCHANGE 2003 
JIM MCBEE 

This session will cover the practical aspects of 
migrating from Exchange Server 2003 to Exchange 
2010 including meeting the necessary prerequi¬ 
sites, interoperability, and potential showstoppers. 
Topics include factors to evaluate before migrat¬ 
ing, the steps necessary to prepare your organiza¬ 
tion, mail routing, web client redirection, moving 
public folder content, and moving mailbox data. 

EXC12: MAKING GOOD IT BUSINESS 
DECISIONS WHILE CLOUD PROOFING 
YOUR CAREER 
JIM MCBEE 

Outsourcing IT services to the cloud is a topic that 
is frequently on everyone's mind, but often not 
properly discussed. Depending on whose market¬ 
ing material you read, EVERYONE should outsource 
their e-mail to a hosted provider. In many cases, 
outsourcing makes good business sense as long as 
you consider all of the corporate, political, or legal 
restrictions. But where does that leave the on¬ 
premises admin? Can you take effective steps to 
cloud-proof your job? What kinds of things should 
you be doing to build a protective umbrella of your 
own value to help you if the clouds come to your 


office? This session examines the business eco¬ 
nomics of outsourcing e-mail services to the cloud 
while offering some practical tips to help you 
weather cloudy times. 

EXC13: FOREFRONT TMG CLIENT ACCESS 
PUBLICATION AND EDGE TRANSPORT 
INTEGRATION 
MIKE CROWLEY 

During this session, Mike will cover two aspects of 
Exchange and TMG integration. In the beginning, 
he'll discuss the installation procedures and con¬ 
figuration requirements of TMG and Edge's resi¬ 
dence on the same server. In the second half, he'll 
demonstrate the steps of publishing Exchange 
client access through TMG. 

EXC14: INFORMATION RIGHTS 
MANAGEMENT EXPLORED 
MIKE CROWLEY 

During this session, we will discuss and then demo 
IRM and S/MIME, the infrastructure requirements 
for both, the pros and cons, and configuration. 

EXC15: OFFICE 365 
MIKE CROWLEY 

This session will cover capabilities, migration, and 
administration of the Office 365 and LivedEDU 
environments. It will include demonstrations and 
best practices. 



EXC16: HIGH-AVAILABILITY WITH THE OTHER 
ROLES: HUB TRANSPORT, CLIENT ACCESS, 
AND UNIFIED MESSAGING 
MICHAEL B. SMITH 

Most high availability discussions focusing on 
Exchange revolve around the mailbox server. 
However, there are other significant roles that 
need to be considered: Edge, HT, CAS, and UM. In 
this session we will cover the basic concepts 
behind HA and the details associated with config¬ 
uring the Edge, HT, CAS, and UM roles for HA. 

EXC17: DUMPSTER AND LITIGATION HOLD- 
DUMPSTER 2.0 VS. DUMPSTER 1.0 
MICHAEL B. SMITH 

Exchange 2010 introduces a new dumpster- 
Dumpster 2.0. In this session, we will discuss when 
Dumpster 2.0 takes effect and how it differs in oper¬ 
ation with SingleltemRecovery enabled (or not), 
with Retention Hold, with Discovery Searches, and 
otherwise. We will deep-dive into how this informa¬ 
tion is stored in the Exchange ESE database. 

EXC18: CONFIGURATION AND USAGE 
OF RETENTION POLICIES IN 
EXCHANGE 2010 SP1 
MICHAEL B. SMITH 

Exchange 2010 introduced Retention Policies to 
replace Managed Eolders. In RTM, Retention 
Policies were not very useful. In this session, we 
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will discuss how to provide functionality approxi¬ 
mately equivalent to that provided by Managed 
Folders and what additional features that 
Retention Policies provide to the business and 
end-users. 

We will deep-dive into how these items are stored in 
Active Directory and what functionality is lost and 
can be controlled by the Exchange administrator. 

EXC19: EXCHANGE 2010 DEPLOYMENT AND 
MIGRATION BEST PRACTICES 
KIERAN MCCORRY 

Exchange 2010 is yet another version of Exchange. 
Its architecture and topology is similar to that 
introduced with Exchange 2007, but there are 
some important changes and restrictions on inter¬ 
operability that any organization in the early 
stages of planning a move to Exchange 2010 should 
be aware of. This session will give an overview of 
the best practices for Exchange 2010 deployment 
and focus on the interoperability and migration 
aspects from previous versions of Exchange. 

EXC20: EXCHANGE 2010 SP1 
KIERAN MCCORRY 

There's nothing like waiting for the first service 
pack before looking in earnest at a new product 
deployment. Exchange 2010 Service Pack 1 brings a 
host of improvements and enhancements to the 
core platform. In this session, we'll see what comes 
with the update and why it makes sense to think 
about deploying Exchange now that SP1 is here. 

EXC21: EXCHANGE 2010 INFORMATION 
PROTECTION AND RETENTION 

KIERAN MCCORRY 

Exchange 2010 brings with it the most comprehen¬ 
sive set of Exchange features yet from Microsoft to 


help you safeguard and protect your data and 
where it goes in your Exchange organization. This 
new version has sophisticated rules for controlling 
information flows within the organization and tak¬ 
ing actions when certain events occur. In addition, 
Exchange 2010 has a completely revamped model 
for information retention and archiving by means 
of the Online Archive. This session will describe 
those new features and explain what it means for 
you as a system administrator and your users as 
information workers. 

EXC22: BRINGING IT ALL TOGETHER: 
INTEGRATING EXCHANGE, LYNC, 

AND SHAREPOINT 
PAUL CHARBENEAU 

Now that you have Exchange, Lync, and SharePoint, 
how do you get the most out of those investments 
by getting them to work together? This session will 
show you how to integrate services from Exchange, 
SharePoint, and Lync Server so that common data 
and user experience is provided across your 
Unified Communications framework. Same picture 
in Communicator, Outlook, and SharePoint? Sure. 
Want to IM from OWA? No problem. Paul 
Charbeneau will walk through these features and 
will also demo Office Web App, PowerPoint broad¬ 
casting, and co-authoring with SharePoint. 

EXC23: EXTENDING ON-PREMISE EXCHANGE 
INTO THE CLOUD WITH OFFICE 365 
TOM PHILIPS 

As you know, Exchange is taking a big step into the 
cloud. It offers companies an opportunity to move 
some or all mailboxes off-premise. This can be an 
appealing option for distributed organizations with 
many users in one location and several users 
spread around the globe. In this session, Tom 


Phillips, who has been working with Microsoft on 
Office 365 federation for several months, will dis¬ 
cuss and demo how you can split your users 
between an on-premise Exchange Server 2010 
server and off-premise Office 365 Exchange. 

EXC24: CAN LYNC SERVER 2010 REPLACE 
YOUR PBX? 

THOMAS FOREMAN 

Have you been waiting to replace your PBX with a 
full VoIP solution, but were unsure of Office 
Communications Server? Are you curious about 
Lync Server 2010 and its new Enterprise Voice fea¬ 
tures? Come to this information-packed session 
that will review all of the features of Lync Server 
2010 that qualify it as a full VoIP solution that can 
replace your PBX. Microsoft has worked hard at 
being able to make the claim that Lync Server is a 
full PBX solution, come see what new features 
allow Microsoft to make this claim. Gain important 
knowledge and see detailed demonstrations that 
show the features that make Lync Server 2010 a 
full PBX solution such as the Call Park feature, 
Voice Resiliency at the data center and at branch 
offices, Malicious Call Tracing, Call Admission 
Control, Media Bypass, New Devices, Enhanced 911, 
and more. Come see how Lync Server 2010 is so 
much more than just a PBX solution and then take 
this information back to begin your deployment. 
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INTRODUCTION TO APPLICATION 
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(MED-V) 

BRINGING TRADITIONAL DESKTOP 
COMPUTING, MOBILITY AND CLOUD 
COMPUTING TOGETHER 
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7 WITH THE MDT 2010 

DIRECT ACCESS: THE DEATH OF THE VPN 
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WINDOWS SERVER 2008 R2 

HYPER-V: SECURING YOUR 
VIRTUALIZATION ENVIRONMENT 


WIN01: DON JONES'S 75-MINUTE 
POWERSHELL CRASH COURSE 
DON JONES 

If you can run ''Ping," then you can start using 
PowerShell to automate a huge number of admin¬ 
istrative tasks. In this concentrated, information- 
packed session you'll learn the key secrets of mak¬ 
ing PowerShell easier to use and more effective, 
and you'll see common administrative tasks auto¬ 
mated right before your eyes. Create users in AD, 
retrieve management information from remote 
computers, calculate last startup time for servers, 
and much more. You'll also learn the tricks to 
teaching yourself new PowerShell techniques, 
opening the door to automating Exchange, System 
Center, SharePoint, IIS, and much more. 

WIN02: DON JONES'S SECRETS OF CLIENT 
AND SERVER REMOTE CONTROL WITH 
WINDOWS POWERSHELL 
DON JONES 

Windows has finally caught the command-line 
wave, and PowerShell is your new, command-line 
''remote desktop!" Learn the secrets of how 
PowerShell remote control enables you to securely 


and efficiently control both server and client com¬ 
puters. You'll learn how to use the one-to-one 
''remote shell" option as well as the super-efficient 
one-to-many technique that controls multiple 
remote computers in parallel. PowerShell expert 
Don Jones details the underlying protocol and con¬ 
figuration settings, giving you all the details as 
well as the best practices you need. 

WIN03: DON JONES'S ADVANCED WINDOWS 
POWERSHELL: ERROR HANDLING, 
DEBUGGING, "SCRIPT CMDLETS,'' AND MORE 
DON JONES 

Take PowerShell further by turning simple com¬ 
mands into powerful, reusable tools that you can 
distribute to other administrators! Learn how 
PowerShell error-handling works to add error log¬ 
ging and logic to your tools, and learn the tricks 
that experts use to debug PowerShell scripts faster 
and more efficiently. PowerShell expert Don Jones 
also provides all sample scripts, and a complete 
shell transcript, for download after the conference, 
giving you ready-to-use templates and tools to use 
as a starting point back home. 

WIN04: VDHN-A-BOX: MICROSOFT DESKTOP 
VIRTUALIZATION FOR SMALLER SCENARIOS 
AND BUSINESSES 
GREG SHIELDS 

Today's talk about VDI centers around deploying 
hundreds or thousands of desktops. But some¬ 
times you just want access for a few people and a 
few applications. Or, you just can't afford big-bud- 
get solutions. Have you tried Microsoft Hyper-V 
and RDS? Combining these two tools, a sufficiently- 
powerful server, and the information in this ses¬ 
sion, you'll quickly build a single-server VDI solu¬ 
tion for just those small needs. Join RDS MVP Greg 
Shields for a look at the very small in VDI. He'll show 
you how to get started on the most micro of budg¬ 
ets, and send you home with the exact click-by-click 
to begin hosting your own virtual desktops. 

WIN05: PREPARING SOFTWARE FOR 
DEPLOYMENT WITH A WINDOWS 7 UPGRADE 
GREG SHIELDS 

Application guru Greg Shields hates walking 
around the office, DVDs in hand. He hates clicking 
Next, Next, Finish to install software. He also hates 
dealing with applications that are directly installed 
into his Windows 7 deployment images. That's why 
he taught himself software packaging, and auto¬ 
mated software installation for a company of thou¬ 
sands. Join Greg in this session to learn his tricks 
for repackaging software. Then you too can auto¬ 
matically deploy applications with your Windows 7 
deployments. 


WIN06: AUTOMATICALLY DEPLOYING 
WINDOWS 7 WITHOUT THE MICROSOFT 
ALPHABET SOUP 
GREG SHIELDS 

Greg Shields may be most known for his books, 
magazine articles, and conference sessions, but he 
started his career deploying thousands of comput¬ 
ers from a basement of a building with no windows. 
His passion for deploying Windows is fed by his 
desire to automate everything. You can do that 
with Microsoft's free tools. But while the tools are 
fantastic, their alphabet soup of acronyms is con¬ 
fusing and their documentation isn't much better. 
Learn Greg's seven simple steps in 75 minutes or 
less, and leave with a framework for automating 
everything in Windows 7 deployment. 

WIN07: MICROSOFT OPALIS 101: YOUR 
SECRET IT PRO AUTOMATION BUDDY, 

ENGINE, AND SECRET WEAPON 
JEREMY MOSKOWITZ 

By the time you read this abstract the tool 
Microsoft recently bought called Opalis might have 
a new name. It might be called something like 
''Microsoft Automation Engine." Heck, the original 
name of this product was the super-cool name 
"Opalis Robot" so you know it's gotta do some kick- 
butt stuff. What does it do? It's your code-free 
automation engine to push the dozens to hundreds 
of buttons from system to system, so you don't 
have to. When an alert or condition happens, you 
want to know about it, of course, but you also want 
the problem to just go away. If you can dream of 
the "automatically fix it" scenario, Opalis is there 
to be your invisible (and automatic) arms and fin¬ 
gers. In this session, you'll learn about the moving 
parts of Opalis as well as some key scenarios 
where you can use this tool right away. 

WIN08: MICROSOFT AND 3RD-PARTY GPO 
TOOLS YOU HAVE NEVER HEARD OF 
(AND SOME YOU HAVE) 

JEREMY MOSKOWITZ 

It's now more important to "do more with less." 
And if you're an Active Directory administrator, 
you're also a Group Policy administrator. And that 
means you need to do more with what you've got. 
The good news is, there are a gaggle of free, low 
cost, and pay tools to help round out your Group 
Policy experiences. Some tools are in the box, 
downloadable from Microsoft or available with a 
license. Some tools we'll explore are third-party 
tools. Together, these tools can help you trou¬ 
bleshoot, lock down your desktops, make your 
applications more secure, manage what you've got 
more efficiently, and be a better administrator. In 
this session, you'll walk away with a huge list of 
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applications you can experiment with today to see 
if they're a good fit for your environment and see 
if you can really “do more with less." 

WIN09: TOTAL WORKSTATION LOCKDOWN: 
YOUR ACTION PLAN 
JEREMY MOSKOWITZ 

Total workstation lockdown isn't for every machine 
in your organization, but some machines reguire it. 
It's usually those “public walk up" machines that 
we need to manage a little bit differently; the 
machines that are in the cafeterias, the lobby and 
the library. The more we think about it, these kinds 
of machines are everywhere in our organization- 
inviting attack and ruining our day. Who knows 
what crazy things people are doing on these 
machines-visiting strange websites and installing 
evil software. The good news is that Microsoft has 
a slew of solutions to help you with this very spe¬ 
cific problem. And it doesn't mean you need to turn 
the thumbscrews and go from 0 -100% lockdown 
either. Microsoft has a variety of technologies you 
can choose (and mix and match) to make sure your 
workstations are locked down only as much as 
they need to be. In this session, Group Policy MVP 
Jeremy Moskowitz will demonstrate a myriad of 
ways to make your public desktops more secure. 
You will also learn about some non-Microsoft tools 
to help enhance your control of this notoriously 
difficult situation. 

WINIO: VMWARE ESX BEST PRACTICES: 
NOTES FROM THE FIELD 
ALAN SUGANO 

Over the years of installing ESX, we have developed 
a list of best practices when implementing ESX. 
These include ESX Host Selection, Storage Groups, 
SAN Design, Storage Planning, Thin versus Thick 
provisioning, vCenter Server, Backup, Cloning 
Virtual Machines, Security, Virtual Machine OS 
Selection, and Physical to Virtual (PtoV) 
Conversions. All of these practices were developed 
as a result of real-world implementations of ESX. 
Find out how to avoid potential pitfalls when imple¬ 
menting ESX and ensure a stable, secure and fast 
virtualization infrastructure. 

WIN11: THE CLOUD CONTROVERSY: 

AN IN-THE-TRENCHES VIEW OF YOUR 
COMPANY'S PLACE IN THE CLOUD 
ALAN SUGANO 

Cloud computing is a hot, controversial topic. 
Some experts see it as a major paradigm shift, 
while others think it's an incredibly bad idea. We'll 
examine what the major cloud vendors have to 
offer and companies where cloud computing is a 
good fit. Going forward I foresee many companies 
adopting a hybrid approach to place items in the 
cloud when it makes sense, but still retaining their 
core infrastructure on-site. We'll examine some of 


the challenges facing migration to the cloud 
including WAN connections, security, regulatory 
requirements, and network configuration. 

WIN12: PASS A PAYMENT CARD INDUSTRY 
(PCI) COMPLIANCE SCAN (AND WHY YOU'D 
WANT TO EVEN IF YOU DON'T HAVE TO) 
ALAN SUGANO 

If your company accepts credit cards, there's a 
good chance you need to be PCI compliant. So you 
do the right thing and sign up for your first PCI 
scan and the results are longer than War and 
Peace. Where do you start? This session will give 
you tips to help your company become PCI compli¬ 
ant and what you should do to remain compliant. 
What's that-your company isn't concerned about 
PCI compliance? You still need to attend this ses¬ 
sion, because it highlights security practices that 
are relevant to every company, no matter what 
their security needs. 

WIN13: CONDUCTING A FORENSIC COMPUTER 
INVESTIGATION FOR IT STAFF 
MIKE DANSEGLIO 

Computer crime has been on the rise for decades. 
There are many situations where an incident 
occurs that doesn't break the law but is still cause 
for concern, such as corporate policy violations, 
information mishandling, or internal system com¬ 
promise. Many companies are forming their own 
internal investigative units to address these situa¬ 
tions. In this session, we'll examine what kinds of 
investigations can be handled internally, when and 
how to engage law enforcement, how to best pre¬ 
pare for incidents, and the best practices to use. 
We will also focus on building your computer inves¬ 
tigation toolkit including the tools you should have 
and how you should use them. 

WIN14: NETWORK SNIFFING FOR IT PROS, 

NOT HACKERS 
MIKE DANSEGLIO 

The IT pro has a great variety of network monitor¬ 
ing tools and techniques available today. But many 
believe these are the tools of evildoers or spies. 
This session dispels the myth by showing how to 
use tools like Wireshark to capture, analyze, and 
troubleshoot common network problems during 
everyday operations. You'll see a number of exam¬ 
ples of network problems including network 
storms and server failures as well as more expect¬ 
ed issues like nefarious intruders and audio and 
video streams causing network failures. 

WIN15: THE NETWORK FILES, CASE tt53: 
DIAGNOSING DISEASES OF DNS 
MARK MINASI 

Network troubleshooters soon learn that the first 
place to look when the network stops working is 
DNS... and soon after that, they learn that the in- 


the-box DNS troubleshooting tool, nslookup, is a 
pretty weak answer-but this session remedies that 
with a clear, step-by-step set of diagnostic 
approaches and prescriptions for DNS ills of all 
stripes. Give your troubled DNS queries a thorough 
workup with Network Monitor, and find out why 
those dynamic updates aren't happening. Get the 
scoop on the dreaded "eDNS flu," an ailment 
endemic to Server 2008 and 2008 R2 boxes. Take 
your DNS system's pulse with DNSLint. Take a sam¬ 
ple of your DNS output with a close examination of 
your logs, and more. Attend this session and you'll 
soon be known as "Doctor DNS!" 

WIN16: BEND R2'S ACTIVE DIRECTORY TO 
YOUR WILL 
MARK MINASI 

Most of us who have to manage an AD sometimes 
run into a problem like “I need to disable all 
accounts that haven't logged on in the past 60 
days," only to find that Active Directory Users and 
Computers doesn't seem to be able to help much 
there. (It can, actually but you'd have to put on 
your diving helmet and sink many fathoms into 
LDAP query-land to get the job done.) So you won¬ 
der, "What to do here?" and start talking yourself 
into solving the problem by hand, click by click. 
You KNOW a few days of writing a VBScript or two 
might solve the problem, but that's an awful lot of 
work so, again, what to do? Microsoft's given us the 
answer in their 76 shiny new Active Directory-relat¬ 
ed PowerShell commands. With a bit of practice, 
you can glue two or three PowerShell commands 
into a powerful one-liner that can do what used to 
take three days and 150 lines of VBScript... even if 
you've never written a line of code. Join command¬ 
line techofreak Mark Minasi in a quick, clear guide 
to the PowerShell commands you need-and how to 
make them work together. Every attendee will 
leave prepared to create their first "one-liner!" 

WIN17: TEN (OR MORE) THINGS YOU 
PROBABLY DON'T KNOW ABOUT WINDOWS 
SERVER 2008 R2 
MARK MINASI 

Okay, so maybe you've read about or even played 
around with Windows Server 2008 R2. You know a 
bit about Active Directory's PowerShell cmdlets, 
DirectAccess, BranchCache and the new backup 
program. It's all great stuff, but... did you know that 
R2's the first print server whose spooler service 
WON'T crash just because a print driver failed? Or 
that R2's DHCP server service has a cool new MAC 
filter feature, combined with helpful new support 
for split scopes? Well, that's just the start. Ever 
needed to resize a VHD? R2's got command-line 
support for that, as well as a whole new kind of 
built-in SMB cache. And of course you know that R2 
shores up your system's security by blocking those 
scary old 1980s LM-type logons-but did you know 
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that R2's got the tool that you need to smoke out 
and stomp those persistent early 90s NTLM 
logons? Join server geek Mark Minasi in a fast- 
paced review of all of the R2 features that haven't 
really gotten the attention that he thinks that they 
ought to, complete with demos and step-by-step 
instructions to try them out in your own network. 
Hey, what would be crazier than paying for a new 
server operating system and not squeezing all of 
the juice out of it? 

WIN18: GOING, GOING, GONE? VIRTUALIZING 
YOUR ACTIVE DIRECTORY FOREST 
SEAN DEUBY 

Is your company going through a server consolida¬ 
tion project using virtualization? Has the project 
team come to you and asked you to prove why they 
shouldn't virtualize the entire Active Directory? 
Does this make you uneasy? It should! There are 
ways to safely virtualize your AD-but you should¬ 
n't do it all, and if you don't do it right you could 
endanger your entire forest. Learn from Sean how 
to safely virtualize and manage your domain con¬ 
trollers, with the best practices from the Microsoft 
Directory Services Team. 

WIN19: THE BEST FREE TOOLS FOR WINDOWS 
DESKTOP ADMINISTRATION 
GREG SHIELDS 

IT professionals are a unique group. We're tasked 
with the ultimate responsibility of our business' 
critical applications and data, but we're rarely 
given a budget to do so. Heck, many of us aren't 
even allowed to see the budget. As a result, we're 
forced to either beg for tools or find them for free 
on the Internet. Cheapskate IT pro Greg Shields has 
been collecting the very best free tools for over 
ten years, and wants to share those in his quiver 
with you! In this must-see session, Greg highlights 
the very best no cost Windows tools-some you've 
used, many you've never seen. Join this session 
and leave Windows Connections with a brand new 
toolset for solving the daily tasks in desktop 
administration. 


WIN20: ACTIVE DIRECTORY FEDERATION 
SERVICES (ADFS)-WHY YOU SHOULD CARE 
AND WHAT YOU SHOULD KNOW 
LAURA HUNTER 

Active Directory Federation Services (ADFS) 2.0 is 
designed to meet the growing demand for a single 
sign-on solution that crosses organization, appli¬ 
cation and platform boundaries. In this session you 
will learn about the need for ADFS in a multitude of 
scenarios, followed by a description of the features 
and capabilities of the newest release of ADFS 2.0, 
as well as best practices from Microsoft's internal 
ADFS team on how to deploy a secure and highly 
available ADFS 2.0 deployment. 

WIN21: INSTALLING ACTIVE DIRECTORY 
FEDERATION SERVICES (ADFS) 2.0 
SEAN DEUBY 

The rise of cloud computing has finally given fed¬ 
eration technology a real purpose: safely extend¬ 
ing your company's Active Directory identities to 
cloud service providers, instead of creating and 
managing separate accounts for every provider 
you use. How do you take the first steps in becom¬ 
ing federationally proficient? Directory expert and 
MVP Sean Deuby will show you how to install and 
configure Active Directory Federation Service 2.0 
so you can start gaining hands-on experience with 
this technology. 

WIN22: HOW MSIT DEPLOYED 
ACTIVE DIRECTORY FOR 
WINDOWS SERVER 2008 AND R2 
LAURA HUNTER 

Recycle Bin and RODCs and beta builds, oh my! In 
this session, come and hear true stories from 
Microsoft's internal Active Directory team on how 
we tested and deployed Windows Server 2008 and 
R2 across a large multi-forest environment. We'll 
include an overview of some of the new Active 
Directory features in 2008 & R2 that an upgrade 
brings to the table, as well as tried-and-true meth¬ 
ods of planning and implementing an upgrade in a 
large, complex environment.along with some hints, 
tricks, and "gotchas" that we faced along the way. 


WIN23: BETTER WINDOWS IMAGING: 

THE VIRTUAL HARD DISK (VHD) FORMAT 
RHONDA LAYFIELD 

Creating images to deploy to 10 or 10,000 machines 
has never been easier. Microsoft has supported the 
.wim image format for quite a while now but there 
is a new image format with even better features 
called "virtual hard disk" (.vhd) images. The old 
.wim image format forced you to create an image of 
every partition on your hard disk and when it came 
time to deploy you had to apply multiple images to 
your clients. With virtual hard disk images (.vhd) 
you can create one image that contains multiple 
partitions reducing the amount of time it takes to 
create and deploy your Windows images. There are 
some new tools to help you with .vhd images like 
"Disk to VHD". Disk to VHD allows you to take an 
existing installation and turn it into a virtual hard 
disk image that can be deployed to many machines. 
Or you can create a .vhd image from scratch in 
under an hour but you really need to understand 
where the pain points are. And last but not least, 
find out which Microsoft deployment technologies 
support deploying .vhd images and which do not. 

WIN24: DEPLOYING WINDOWS IMAGES THE 
SAFE, SECURE WAY 
RHONDA LAYFIELD 

Deploying Windows images involves lots of different 
user account credentials. Credentials for joining a 
machine to a domain, creating computer objects 
and don't forget about that local administrator 
account's password on the newly deployed 
machines. Find out where and how these credentials 
are stored in the Microsoft Tools and how one tool 
differs from another. This session will help you learn 
about securely deploying Windows images using 
Windows System Image Manager (WSIM), Microsoft 
Deployment Toolkit 2010 Update 1 (MDT 2010 U1), 
Windows Deployment Service (WDS) and System 
Center Configuration Manager 2007 (ConfigMgr). 

CHECK WEB SITE AS WE CONTINUE 
TO ADD MORE SESSIONS, SPEAKERS 
AND MAKE UPDATES 

WWW.WINCONNECTIONS.COM 



March 27-30,2011 | Orlando, FL | Register Today! | 9 






sharepoint SharePoint 

MICROSOFT DAY SHAREPOINT SESSIONS (connections: 


INTEGRATING SHAREPOINT AND 
WINDOWS AZURE 

AUGMENTING YOUR SHAREPOINT SITE 
USING SILVERLIGHT 

DEVELOPING PARTIAL-TRUST SOLUTIONS 
FOR SHAREPOINT ONLINE 

OVERVIEW OF ENTERPRISE CONTENT 
MANAGEMENT IN SHAREPOINT 2010 

MIGRATING SHAREPOINT 2007 
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BUILDING NO-CODE SOLUTIONS FOR 
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INTEGRATING WINDOWS PHONE 7 
APPLICATIONS WITH SHAREPOINT 2010 

EXTENDING SHAREPOINT 2010 USING 
BING MAPS 


DEVELOPMENT TRACK 


HDEV01: DEVELOPERS DEEP DIVE INTO 
SHAREPOINT SECURITY 
TED PATTISON 

SharePoint 2010 introduces a new claims-based 
security model that will impact the way that com¬ 
panies design, implement and enforce security with 
their SharePoint sites. This session explains the 
fundamental concepts of a claims-based model and 
shows how the new claim-based model makes it 
possible to use new types of security principals 
such as Active Directory distribution lists and 
SharePoint Server Audiences as first class security 
objects which can be used to securely configure 
access to securable objects such as sites, lists, 
items and documents. The session will walk through 
developing a custom claims-provider with Visual 
Studio 2010 which will effectively demonstrate the 
flexibility of how we define the people and groups 
from whom you need to configure access. 


HDEV02: SHAREPOINT DATA ACCESS 

SHOOTOUT 

TED PATTISON 

When developing for SharePoint 2010, there are 
many different ways to access items in a list. When 
writing server-side code you can use the SPQuery 
class or the SPSiteDataQuery class. You can option¬ 
ally use the new LINQ to SharePoint Support which 
enables you to write LINQ guery statements 
against SharePoint lists. When writing client-side 
code in JavaScript or Silverlight you can use the 
CamIQuery class provided by the new client-side 
object model. You also have the option of using the 
new REST-based Web service built into SharePoint 
Foundation or creating your own custom Web serv¬ 
ice. This means there are different ways for you to 
guery and update items. This session examines 
each of these techniques in depth and reveals their 
strengths and weaknesses in terms of perform¬ 
ance, productivity and maintainability. 

HDEV03: ADVANCED CONTROL AND WEB 
PART DEVELOPMENT 
TED PATTISON 

Web Parts aren't the only type that's useful in 
SharePoint development. This session will begin 
with a quick primer on creating custom controls 
for SharePoint sites and demonstrate several 
examples including development with user con¬ 
trols and delegate controls. The session also exam¬ 
ines the SharePoint Web Part architecture where 
you will learn the role of the Web Part Manager and 
the Web Part Gallery. The session demonstrates 
several different styles for Web Part rending 
including using an XSLT transform to generate 
HTML output. Along the way, this session will dis¬ 
cuss using persistent properties, creating custom 
editor parts as well as taking advantage of Web 
Part verbs, Web Part connections and using asyn¬ 
chronous processing when retrieving data from 
across the network. 

HDEV04: RECORDS MANAGEMENT 
IMPROVEMENTS IN SHAREPOINT 2010 
JOHN HOLLIDAY 

SharePoint 2010 introduces many new content 
management features that can be applied to build 
both document and records management solu¬ 
tions. In this session, we'll examine these features 
in detail and explore ways to apply them to solve 
traditional records management problems such as 
creating hierarchical file plans, using metadata to 
drive content routing and making e-Discovery 
more accessible for records managers and end 
users. During the session, we'll also explore the 
new in-place records management features that 
make it easier to manage compliance details for 
individual documents, and we'll take a closer look 
at the improved Records Center site to see how it 


combines all of the new content management fea¬ 
tures to simplify the creation of a locked-down 
records vault. 

HDEV05: SHAREPOINT 2010 RECORDS 
MANAGEMENT DEVELOPMENT 
JOHN HOLLIDAY 

The SharePoint 2010 Content Organizer introduces 
a new approach to content routing, providing end 
users with greater flexibility to setup custom rout¬ 
ing rules without custom coding. This is great for 
most situations, but there are still times when 
standard rule definitions are not enough, particu¬ 
larly when building custom ECM/RM solutions. In 
this session, you'll learn how to configure a 
Records Repository programmatically so that it 
understands and processes incoming document 
types consistently across the farm. We'll also 
develop custom information policies and work with 
the Content Organizer entirely in code to generate 
and process rules, and extend it to handle real- 
world scenarios, such as routing content to exter¬ 
nal RM systems. 

HDEV06: CONTENT TYPE DISCOVERY USING 
DEPENDENCY STRUCTURE MATRIX ANALYSIS 
JOHN HOLLIDAY 

Content types are the cornerstone of every 
Enterprise Content Management solution built on 
the SharePoint platform. However, finding a con¬ 
sistent and repeatable methodology for identify¬ 
ing the appropriate content types for a given solu¬ 
tion remains a challenge for most organizations. 
Dependency Structure Matrix (DSM) analysis has 
been around for more than 30 years, and has been 
applied to everything from process modeling to 
Software Architecture. This session will explore the 
use of DSMs to identify content types by deriving 
functional groups based on interdependencies 
that exist between content elements flowing into 
and out of business processes. 

HDEV07: BUILDING CUSTOM APPLICATIONS 
(MASHUPS) ON THE SHAREPOINT PLATFORM 
TODD BAGINSKI 

Custom applications which combine components 
from several different systems, services, and data 
sources are more commonplace in today's world 
than ever before, not to mention they are usually 
the most fun to build! This session shows how to 
combine Business Connectivity Services, the 
SharePoint client object model, SharePoint Search, 
Silverlight, Bing Maps, Twitter, the Digital Assets 
Library (Images & Videos), SharePoint list data, and 
even SharePoint's new rating functionality to cre¬ 
ate a "mashup" application that provides a wide 
variety of functionality. In this session, you will 
learn how to combine all of these components to 
create eye-catching applications built on the 
SharePoint framework. 
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HDEV08: BUSINESS CONNECTIVITY 
SERVICES (BCS) DEVELOPMENT PATTERNS 
TODD BAGINSKI 

In this session, you will learn how you can apply 
repeatable patterns with Business Connectivity 
Services to work with external data in SharePoint 
2010. This session will discuss the different authen¬ 
tication, authorization, and data access options 
used to connect to external data sources and when 
each is most appropriate. This session will also dis¬ 
cuss modeling complex types and entity associa¬ 
tions in a Business Data Connectivity (BDC) model, 
explain how filtering and throttling works in the BDC 
runtime, and map common external data scenarios 
to different data modeling approaches. This session 
will also demonstrate the different approaches you 
can use to interact with external data and when 
each one is appropriate. After attending this ses¬ 
sion, you will understand when BCS should be used 
and how to implement it properly. 

HDEV09: INTEGRATING WINDOWS 7 MOBILE 
APPLICATIONS WITH SHAREPOINT SITES 
TODD BAGINSKI 

How many times have you heard someone say, 
"There's an app for that?" Have you ever wanted to 
create your own mobile application? How about one 
that integrates with SharePoint? In this session, you 
will learn how Windows Mobile 7 makes it easy for 
.NET and Silverlight developers to make the transi¬ 
tion and develop applications for mobile devices. 
You will learn how to develop a Windows 7 Mobile 
application which integrates with SharePoint web¬ 
sites and other services. 

HDEV10: UPGRADING WEB PARTS FOR USE 
ON SHAREPOINT 2010 
MAURICE PRATHER 

Web Parts have been around for three generations. 
We'll talk about all the different ways Web Part 
code can be upgraded. We'll discuss how to best 
move your Web Parts from where they are today to 
where you want them tomorrow. 

HDEV11: BUILDING CLAIMS-AWARE 
APPLICATIONS AND CONTROLS 
MAURICE PRATHER 

What exactly are claims? In this session, we'll 
quickly cover the fundamentals of claims authenti¬ 
cation. Then we'll dive into details needed to lever¬ 
age claims within your applications. 

HDEV12: SHAREPOINT GUIDANCE: 
DEVELOPING APPLICATIONS-FOUNDATION 
AND EXECUTION 
ROBERT L. BOGUE 

In this action-packed session you'll get a guided 
tour around the foundation and execution portions 
of the Microsoft patterns & practices SharePoint 


Guidance. As a member of the team that built the 
guidance, Robert will talk through the guidance 
both from the perspective of the documentation 
generated as well as the reference implementa¬ 
tions and core library. Expect to leave wanting to 
spend more time mining the value of the 
SharePoint Guidance. 

HDEV13: ENHANCING THE SHAREPOINT 
SOCIAL EXPERIENCE WITH THE 
SHAREPOINT 2010 SOCIAL API 
MATT MCDERMOTT 

This session focuses on the developer interfaces 
for the Social Computing API and Web services for 
SharePoint 2010. Social Computing with SharePoint 
involves creating people-aware applications that 
take advantage of User Profiles, Social Data, and 
Personalization built into SharePoint. This session 
will demonstrate development techniques for: 

• Using SharePoint 2010 User Profiles 

• Working with the SharePoint User Profile 
and Social Data Web Services 

• Taking action on User Profile Changes 

• Using Social Data in Custom Applications 
Outside the Firewall 

HDEV14: EXPLOITING THE "HIDDEN GEMS" 
OF THE SHAREPOINT SOCIAL API 
MATT MCDERMOTT 

This session focuses on two new, and often over¬ 
looked, features of the SharePoint User Profile 
Application that can be used to enhance the end 
user experience and drive user adoption of 
SharePoint personal features. This developer-ori¬ 
ented approach demonstrates techniques to lever¬ 
age the social API and the User Profile Service to 
create applications that provide business value. 
This session will demonstrate development tech¬ 
niques for: 

• Consuming SharePoint Social Data 

• Creating Organizational Profiles for Official 
and Ad-Hoc Teams 

• Create BDC Connections to Increase Find- 
ability of Corporate Data 

• Classify Users to Enhance the User Profile 
Experience for the Organization 

HDEV15: ECM FROM A DEVELOPER'S 

PERSPECTIVE 

PAUL SWIDER 

Developers can use the SharePoint ECM program¬ 
ming model to extend the functionality of the new 
ECM features and create custom document man¬ 
agement solutions. In addition, SharePoint 2010 
introduces the Managed Metadata store as the 
enterprise tool for managing taxonomy. In this ses¬ 
sion you will learn how to add rich ECM functional¬ 
ity to your SharePoint sites using members of the 


taxonomy and document management object 
model. At the end of the session you will under¬ 
stand the pros and cons of each namespace. 

HDEV16: BUILDING APPLICATIONS WITH THE 
CLIENT OBJECT MODELS 
SCOT HILLIER 

One of the top requests from customers for 
SharePoint 2010 was that it include more Web serv¬ 
ice access to the API. Microsoft responded by pro¬ 
viding a client-side object model that makes client 
programming as seamless as server-side program¬ 
ming. In this session, we will cover the fundamen¬ 
tals of the three different client object models: .NET, 
Silverlight, and JavaScript. Attendees will learn to 
use the client object models to create solutions 
that can run within SharePoint or stand-alone. 
Attendees will leave the session with a strong 
understanding of the new client object model and 
how to utilize it in their programming tasks. 

HDEV17: ADVANCED SEARCH-BASED 
SOLUTIONS IN SHAREPOINT 2010 
SCOT HILLIER 

Search-based solutions are applications that use a 
search page as the primary interface. Solutions 
such as image searching or travel searching in 
Bing are good examples of search-based solutions. 
SharePoint 2010 offers developers new ways to 
extend search and create search-based solutions. 
In this session, attendees will learn to create 
advanced search-based solutions such as task 
management and navigation. Attendees will leave 
with many new ideas for using search to deliver 
end-user productivity. 

HDEV18: DEVELOPING RICH CLIENT 
SOLUTIONS WITH BUSINESS 
CONNECTIVITY SERVICES 
SCOT HILLIER 

Creating External Lists with Business Connectivity 
Services is all the rage, but what about the client 
side? In this session, we'll cover the development 
techniques for creating client-side BCS solutions. 
We'll start with declarative solutions designed to 
customize the BCS experience. Then we'll move on 
to creating custom Office 2010 add-ins for BCS. 
Finally, we'll show how to create Windows applica¬ 
tions that use BCS data. Attendees will exit with 
lots of new ideas for creating BCS solutions that 
run on the client. 

ADMIN TRACK 


HITP01: WISH I'D HAVE KNOWN THAT SOONER! 
SHAREPOINT INSANITY DEMYSTIFIED 
DAN HOLME 

After years of helping organizations around the 
world to deploy and implement SharePoint, Dan 
Holme has found that there are certain pain points 
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that almost everyone encounters. Some are con¬ 
fusing concepts. Some are bad decisions driven by 
Microsoft's Ul and documentation. Some are due to 
unnecessarily complex terminology. And some 
because there are things that SharePoint should 
do, but can't. In this session, Dan will share the 
most common and problematic scenarios, and 
their solutions, with the goal of saving you pain, 
time, and money. Think of this session as "Lessons 
Learned," "Best Practices," or "From the Field" on 
steroids. Whether you're new to SharePoint or a 
seasoned veteran, in this grab-bag session there 
will be treasures for you! 

HITP02: SHAREPOINT 2010 DEPLOYMENT 

DEMOFEST 

BEN CURRY 

Come get a first look at proven SharePoint Server 
2010 deployment Best Practices. This session is full 
of real-world lessons learned, tips, and tricks 
learned from the field. Ben will give you a LIVE 
guided tour of a multi-server farm deployment. 
Learn the basics for creating and managing Web 
and Service applications, scaling services, and 
selecting basic server farm topologies for most 
implementations. 

HITP03: ARCHITECTING A SHAREPOINT 
SERVER 2010 FARM 
BEN CURRY 

So, you are ready to install or upgrade to 
SharePoint Server 2010 but don't know where to 
start? All of the options and endless combinations 
of service application topologies can be over¬ 
whelming. This session provides a thoughtful 
approach to designing your SharePoint Server 2010 
server farm and gives you confidence that you are 
heading in the right direction. You'll learn about the 
service application architecture, common design 
decisions for scaling service applications, Web 
application considerations, and how your logical 
architecture will affect the physical farm topology. 
Attendee Key Takeaways-Understand SharePoint 
Server 2010 farm topologies at the 200 level and 
have a game plan for designing your farm when you 
get back to the office. Understand the basics of 
service application architecture, how many servers 
you'll need, what the hardware requirements are, 
and how your logical Web application design and 
user load will impact the physical architecture. 

HITP04: ARCHITECTURE BEHIND THE 
SOCIAL COMPUTING PLATFORM IN 
SHAREPOINT 2010 
BEN CURRY 

This session will show you how to plan, design, and 
implement the UPA to provide the platform for 
social computing in SharePoint Server 2010. There 
are many misconceptions about how the service 
application, along with associated service 


instances and databases, is implemented. Only 
when this foundation is correctly configured will 
you realize the full potential of social computing. 
This session will include the service application 
architecture, synchronization with Active 
Directory, managing user profiles, designing and 
implementing My Sites, and managing user meta¬ 
data such as ratings. 

HITP05: DESIGNING GOVERNANCE: HOW 
INFORMATION MANAGEMENT AND SECURITY 
MUST DRIVE YOUR DESIGN 
DAN HOLME 

You've read the white papers, you've "Binged" gov¬ 
ernance, but how, exactly, do you design a 
SharePoint implementation that will support gov¬ 
ernance, security, and information management? 
Join SharePoint MVP and consultant Dan Holme for 
a practical, nuts-and-bolts look at the close rela¬ 
tionship between your information management 
requirements and SharePoint's manageability con¬ 
trols, and the demands that relationship places on 
your design and infrastructure. This session is 
focused on architecting a logical design of 
SharePoint that effectively supports your informa¬ 
tion management requirements and governance 
plan-the "technical" side of governance. You will 
learn how to align your governance requirements 
with SharePoint farms, Web applications, and site 
collections. You'll discover why some third-party 
applications are a "design poison pill" and what 
SharePoint 2010 offers to greatly improve the 
deployment of a governable design. Gain a deeper 
understanding of the intricacies and challenges of 
designing the logical structure of SharePoint, and 
take away practical, blueprint-like guidance to 
what a governed SharePoint implementation might 
look like in your enterprise. 

HITP06: A PRACTICAL JUMP START TO 
ADMINISTERING SHAREPOINT WITH 
WINDOWS POWERSHELL 
DAN HOLME 

Windows PowerShell is the preferred tool for 
administering and automating SharePoint outside 
of Central Administration and only with PowerShell 
can you perform scripted configuration and cer¬ 
tain tasks such as granular restore. So if you've 
been holding back on learning PowerShell, the 
time has come to tackle it. Join SharePoint MVP 
Dan Holme for a very practical, super-clear 
PowerShell jump start. You'll learn that you don't 
need to be a scripting guru to use and understand 
PowerShell and you'll learn how easy it is to man¬ 
age SharePoint with PowerShell. 


HITP07: INFORMATION ARCHITECTURE AND 
THE MANAGED METADATA SERVICE: A TO Z 
DAN HOLME 

Join SharePoint MVP Dan Holme for a down-and- 
dirty, deep examination of the configuration and 
management of the Managed Metadata Service, 
and what the MMS does to support your enterprise 
information architecture. You'll explore every nook 
and cranny of this powerful service application, 
and see how to provide both centrally managed 
taxonomy and user-driven folksonomy for enter¬ 
prise tags. You'll also explore content type syndi¬ 
cation and best-practice guidance for topologies 
to support your information architecture. 

HITP08: WINDOWS POWERSHELL FOR 
SHAREPOINT ADMINISTRATORS AND 
DEVELOPERS 
DON JONES 

Welcome to the future! Microsoft's promise to make 
administration available through PowerShell con¬ 
tinues to come true, most recently in SharePoint 
Server 2010. Now all you need to do is figure out 
what to best make use of the shell, whether you're 
trying to automate administrative tasks, or want to 
use the shell as a ".NET Immediate Window." 
PowerShell guru Don Jones introduces you to the 
shell's key concepts, including under-the-hood 
functionality like pipeline binding, to make you 
effective without writing a line of script. You'll learn 
the patterns that govern SharePoint's PowerShell 
cmdlets, and you'll learn to wrap them into your 
own reusable, parameterized tools. You'll see how 
to directly access .NET Framework classes from the 
shell, and you'll learn how developers can incorpo¬ 
rate the shell (and the functionality it provides) 
from within your own .NET code. 

HITP09: SHAREPOINT SERVICE 
ARCHITECTURE DRILL-DOWN 
JOEL OLESON 

The most important decisions you'll make in a 
SharePoint deployment relate to the decisions 
around the service application architectural deci¬ 
sions. There are nearly 20 service applications and 
figuring them out and configuring them can be a 
very daunting task. A common deployment mis¬ 
take is to simply install all services not knowing 
what is needed. We'll take look at these services 
and how they should be configured for best per¬ 
formance and high availability. 

HITP10: UPGRADING TO SHAREPOINT 2010 
JOEL OLESON 

We'll start with the In-Place Upgrade and Database 
attach upgrade methods, but the real focus is on 
the strategy behind the various hybrid upgrade 
methods. We'll walk through an upgrade decision 
tree and arm you with the best strategies behind 
how best to provide uptime and the best user expe- 
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rience and achieving IT goals at the same time. 

HITP11: SHAREPOINT SEARCH CHALLENGES 
AND TRICKS 

MATTHEW MCDERMOTT 

Many organizations struggle with SharePoint 
search configuration when it falls outside simple 
document search. This session presents strategies 
for handling special search scenarios like large 
files, images and video. This session also presents 
techniques for metadata tagging of files that are 
outside of the control of the search team. The tips 
and techniques are presented as patterns that can 
be used in many different search situations. 

• Search configuration overview 

• Large file search configuration 

• Image metadata tagging and search 

• Image search result configuration 

• Tagging and searching files you don't 
control 

HITP12: BUILDING THE PERFECT 
SHAREPOINT 2010 FARM: REAL-WORLD BEST 
PRACTICES FROM THE FIELD 
MICHAEL NOEL 

SharePoint 2010 is nearly a year old, with improve¬ 
ments in scalability, enterprise search, and admin¬ 
istration. Best practices from SharePoint 2007 are 
no longer relevant, and new guidance has emerged 
from the last year worth of SharePoint deploy¬ 
ments. New features such as SharePoint FAST 
Search capabilities can have a significant effect on 
how an environment is architected. In addition, the 
popularity of server virtualization technologies 
have created new design options for SharePoint 
administrators, allowing for new and unique high 
availability and provisioning options. This session 
goes right to the heart of the matter, providing for 
physical and virtual architecture guidelines and 
specific configuration settings that can immedi¬ 
ately be used to construct SharePoint 2010 envi¬ 
ronments that can be used to replace existing 
SharePoint 2007 farms. Architectural specifics are 
based on best practices obtained from existing 
SharePoint 2010 environments of multiple sizes 
and performance metrics gathered from both 
physical and virtual SQL Server and SharePoint 
environments will help you to build the "perfect" 
SharePoint 2010 farm for your organization. 

• View real-world SharePoint 2010 deployment 
models for environments of multiple sizes, 
including virtualized SharePoint farms 

• Gain access to specific design criteria for 
sizing a SharePoint farm and providing for 
high availability for all components 

• Get information to be able to build the 
"perfect" highly available, high perform¬ 
ance and scalable SharePoint 2010 environ¬ 
ment that will stand the test of time 


HITP13: ARCHITECTING A FAULT 
TOLERANT AND HIGH PERFORMANCE 
SHAREPOINT 2010 FARM 
MICHAEL NOEL 

Significant architectural changes have been made 
between SharePoint 2007 and SharePoint 2010, 
including a complete removal of the infamous 
Shared Services Provider and the ability to have 
redundant indexing functionality in a farm. In addi¬ 
tion, the number of databases in a single farm has 
increased significantly and Microsoft has over¬ 
hauled the authentication model used by 
SharePoint. All of this translates to some signifi¬ 
cant architectural changes between SharePoint 
2007 farm architecture and SharePoint 2010 farm 
architecture, changing the paradigm for 
SharePoint infrastructure architects. This session 
focuses on outlining how the changes in 
SharePoint 2010 architecture allow for new design 
scenarios, and how you can design a new fault tol¬ 
erant and high performance SharePoint 2010 envi¬ 
ronment to migrate your existing SharePoint 2007 
content into. 

• Learn how the significant architectural 
changes between SharePoint 2007 and 
SharePoint 2010 change how to design a 
SharePoint farm. 

• Examine best practice farm architecture 
and real-world SharePoint design models. 

• Learn best practice advice for how to pre¬ 
pare to re-architect a SharePoint 2007 envi¬ 
ronment for an eventual migration to 
SharePoint 2010. 

HITP14: PLANNING EXTRANET 
ENVIRONMENTS WITH SHAREPOINT 2010 
MICHAEL NOEL 

Organizations planning for extranet access to 
SharePoint 2010 or faced with providing access to 
an intranet from multiple internal authentication 
platforms often find it challenging to properly 
architect SharePoint for extranets, to isolate con¬ 
tent, and to manage identities across disparate 
systems. The complexity involved in understanding 
how to isolate content from a security perspective 
but still provide for a collaborative space for end 
users is complex, and if not done correctly can 
lead to security breaches and confusion. This ses¬ 
sion focuses on understanding the various 
extranet models for SharePoint 2010 and providing 
real-world guidance on how to implement them. 
Covered are extranet content models and extranet 
authentication options, including advanced 
options using tools such as Microsoft's Forefront 
Identity Manager (FIM) 2010 to centralize identity 
management to SharePoint 2010 farms, allowing 
for better control, automatic account provisioning, 
and synchronization of profile information across 
multiple SharePoint authentication providers. 


• Review extranet design options with 
SharePoint 2010 

• Understand the need for identity manage¬ 
ment across SharePoint farms 

• Examine real-world deployment guidance 
and architecture for SharePoint environ¬ 
ments using multiple authentication 
providers 

HITP15: CLAIMING TO GET FORMS-BASED 

AUTHENTICATION 

ROBERT L. BOGUE 

Not everyone has an account in your active directo¬ 
ry. Sometimes you need to work with people outside 
the organization. Whether you're working with cus¬ 
tomers, vendors or partners, you'll need to figure 
out how to implement forms authentication-and 
how to manage the users. Password expiration, for¬ 
gotten passwords, and the need to delegate the per¬ 
mission to create accounts are all real issues you 
need to be able to deal with. In this session, we'll 
walk you through the setup of a farm for forms- 
based authentication (via claims) and implement 
some of the key account management features 
you'll need (with the help of some reusable code). 

HITP16: PROTECT YOUR SHAREPOINT FARM 
FROM THE EVIL DEVELOPERS 
ROBERT L. BOGUE 

Whether you believe your developers are evil or 
just under informed, SharePoint 2010 has a set of 
tools for you to use to protect yourself from a 
developer breaking your entire farm. In this ses¬ 
sion, you'll get an IT pro's introduction to the 
SharePoint Sandbox and how it can help you 
including code isolation and execution quotas. 
You'll also learn about protection from long run¬ 
ning queries, and how you can put the pieces 
together to keep your farm running no matter 
what the developers throw at it. 

NO CODE SOLUTIONS TRACK 

HNCS01: MANAGE YOUR EXTERNAL DATA 
USING BUSINESS CONNECTIVITY SERVICES 
... WITHOUT CODE 
ASIF REHMANI 

The Business Connectivity Services (BCS) is an evo¬ 
lution of the concept of Business Data Catalog 
(BDC) that was introduced in SharePoint 2007 to get 
access to your line of business data. In addition to 
consuming your data, BCS lets you also write back 
data to your external systems. SharePoint Designer 
2010 is used to define your connection properties 
by creating External Content Types (ECT) without 
the need for programming! In this session, you see 
how you can surface this data using external lists, 
metadata in SharePoint lists and also your Outlook 
application to create robust business solutions. 


March 27-30,2011 | Orlando, FL | Register Today! | 13 






SharePoint 

SHAREPOINT SESSIONS (CONNECTIONS ) 


HNCS02: USE DATA VIEWS TO GET TO YOUR 
DATA - BOTH INSIDE AND OUTSIDE OF 
SHAREPOINT 
ASIF REHMANI 

You can use SharePoint Designer to make connec¬ 
tions to and present data from internal and exter¬ 
nal data sources such as SharePoint lists, libraries, 
xml files, databases and Web services. The focus of 
this session is on exposing the data to the user 
using the XSLT Web Parts. These Web Parts can be 
manipulated in a variety of ways to present the 
information to the end user. In this session, you'll 
see how the list view and data view tools can be 
used to reformat the presentation of the data 
using conditional formatting, pre-formatted styles, 
xPath expressions and more. 

HNCS03: AUTOMATING BUSINESS 
PROCESSES USING INFOPATH 2010 FORMS 
WITH INTEGRATED SHAREPOINT 
DESIGNER 2010 WORKFLOWS 
ASIF REHMANI 

Forms and Workflows are essential to business 
processes. Companies usually rely on program¬ 
mers to create the forms and workflows using 
code. Not any more! If you have access to Microsoft 
InfoPath 2010 and Microsoft SharePoint Designer 
2010, you can create powerful data-driven form 
solutions on your SharePoint sites. InfoPath gives 
you the ability to pull data from databases and 
lists, and create forms with data validation and 
conditional formatting. SharePoint Designer's 
workflows let you then design powerful multi-step 
workflows centered around the form collected 
data. In this session, you see how to design a 
robust form using InfoPath and then design a 
workflow using SharePoint Designer to route this 
form appropriately. 

HNCS04: USING INFOPATH 2010 AND 
SHAREPOINT DESIGNER 2010 TO MANAGE 
SHAREPOINT LIST FORMS 
ASIF REHMANI 

SharePoint Designer has been a great tool to cus¬ 
tomize SharePoint list forms for a long time. Now in 
SharePoint 2010, you can use InfoPath 2010 to cus¬ 
tomize the forms as well. What's the difference? Why 
should you use one tool over the other for this pur¬ 
pose? This session shows how each functionality 
works and explores the pros and cons of using each 
method to customize your SharePoint list forms. 

HNCS05: PERFORMANCEPOINT SERVICES 
2010: BUILDING A DASHBOARD IN 60 
MINUTES OR LESS 
DARRIN BISHOP 

The title says it all. Creating dashboards are now 
simple thanks to PerformancePoint Services 2010. 
As a matter of fact there is no code involved. This 


session will show you how to create and publish a 
dashboard in 60 minutes or less. We will step-by- 
step create all the components needed to surface 
your data inside a PerformancePoint dashboard. 
Creating and publishing dashboards is a quick and 
easy way to make you the hero of the company. 

HNCS06: UNDERSTANDING POWERPIVOT 
AND WHAT IT BRINGS TO THE TABLE 
MAURICE PRATHER 

PowerPivot is the newest member of the Microsoft 
Bl stack. We'll examine what it is and how it can be 
used within the corporate environment. 

HNCS07: SOLUTIONS WITHOUT 
SEMICOLONS - THE IT PROS GUIDE 
TO SOLUTION CREATION 
ROBERT L. BOGUE 

Many organizations are struggling to get the sup¬ 
port they need. The IT pro is being asked to help 
create solutions for business units. The Office 
System including SharePoint, Visio, InfoPath, Word, 
and SharePoint Designer are tools that the IT pro¬ 
fessional can use to create solutions that don't 
require a single semicolon. In this very practical 
session, we'll create a few solutions that every IT 
pro can create that will look like you stayed up all 
night to learn a new (foreign) language. 

HNCS08: USING OUTLOOK AND THE 
SHAREPOINT WORKSPACE WITH 
SHAREPOINT 2010 
SCOT HILLIER 

SharePoint 2010 provides powerful ways to use 
data offline through Outlook 2010 and the 
SharePoint Workspace. In this session, you'll learn 
how to synchronize sites, lists, and libraries with 
Outlook and the SharePoint Workspace. You'll learn 
how data is installed and managed on the client so 
that you can understand the proper way to work 
with offline data. You'll learn limitations and 
workarounds associated with offline data including 
conflict resolution and collaborative document 
creation. Attendees will exit this session with a 
complete understanding of how offline data is syn¬ 
chronized, managed, and utilized in Office clients. 

SHAREPOINT COMMUNITY TRACK 

HSCM01: SHAREPOINT BRANDING: CREATING 
A SUCCESSFUL BRANDING PROJECT MAP 
CATHY DEW 

Successful branding projects start out with a 
detailed plan to determine the user needs from a 
content perspective and the branding needs. By 
learning what can be created for branding 
SharePoint Server 2010, and evaluating the compo¬ 
nents (master pages, CSS, page layouts, themes) 
you can create a project map. In this session I will 


also cover what the initial considerations needed 
to allow for a phased approach to implementation 
and leave room for future growth. 

HSCM02: CREATING CONSISTENCY IN USER 
INTERFACE DESIGN WITH SHAREPOINT 2010 
CATHY DEW 

Once a determination has been made to create a 
custom branded SharePoint 2010 site, you will need 
to keep in mind all the pieces/parts that need to be 
created. You must also consider other components 
that must be decided in regards to the levels, types 
of sites and functionality of the sites and how the 
branding will function across all of these pieces. 
This session will focus on the best practices sur¬ 
rounding master pages, alternate CSS and page 
layouts for an Intranet site including what to use 
where and how far you should push the boundaries 
of customization. 

HSCM03: DON'T JUST MIGRATE-TRANSFORM 
YOUR SHAREPOINT ENVIRONMENT 
CHRISTIAN BUCKLEY 

Migration is not just a technical activity (provision 
a new system, attach and move databases), but 
should be a much more thoughtful and planned 
activity. This session will help attendees under¬ 
stand the difficulties surrounding migration, and 
the ample opportunities to transform their data- 
building a new system that meets their environ¬ 
ment vision. We will discuss fundamentals of 
capacity planning, the overall migration schedule, 
how to involve end users in the process, under¬ 
standing the as-is and to-be system views, outline 
strategies for taxonomy and metadata manage¬ 
ment. Attendees will walk away with an action plan 
for their transformation and migration efforts. 

HSCM04: SHAREPOINT'S SOCIAL 
COMPUTING SCORECARD 
CHRISTIAN BUCKLEY 

This session is a deep dive into the leading social 
networking contenders (Facebook, Ning, Wave, 
Jive, Box, etc), comparing and contrasting their 
capabilities against SharePoint 2010 capabilities, 
and why they are important to the enterprise. This 
session will catalog the rise of commercial social 
media tools, outline social media in the enterprise 
(business value, changes to social informatics in 
the workplace, data and intellectual property con¬ 
cerns), and present a scorecard of the primary fea¬ 
tures of the leading solutions against SharePoint 
2010 features in the enterprise, with guidance on 
how to build comparable solutions in SharePoint, 
and with answers to concerns about security, IP 
rights, data management, network impact, and 
employee productivity. Attendees will walk away 
with a better understanding of what SharePoint 
2010 is capable of, and some ideas for how they 
can augment their own designs and planning. 
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SHAREPOINT SESSIONS 


WORKSHOPS 


HSCM05: TRUST ME I AM A DEVELOPER: 
THINGS AN ADMIN SHOULD KNOW ABOUT 
DEVELOPING ON SHAREPOINT 
DARRIN BISHOP 

Let me tell you how it is. Well maybe how it should 
be. There are a lot of us developers in the wild now, 
and many of us are calling ourselves SharePoint 
developers. Can you tell the difference? Even 
though you might be an administrator, you should 
know enough about SharePoint development to 
call my bluff, because as a developer, well, some¬ 
times I might try to sneak a thing or two past you. 
In this session we will discuss what you should be 
expecting from your SharePoint developers, things 
we tend to cheat on and how to keep us honest. 

HSCM06: SHAREPOINT AS A PLATFORM FOR 
BUSINESS APPLICATIONS 
OWEN ALLEN 

SharePoint has grown into an extremely capable 
platform for the rapid construction and assembly 
of business applications. Learn about the compo¬ 
nents of the SharePoint platform that can be lever¬ 
aged as elements of your business process man¬ 
agement empire. See what a composite application 
is and how the combination of SharePoint Out-of- 
the-Box platform services and select third-party 
technologies can open a new frontier for business 
applications. 

HSCM07: HORIZONTAL AND VERTICAL 
BUSINESS SOLUTIONS FOR 
SHAREPOINT 2010 
OWEN ALLEN 

A tour around the major types of technology solu¬ 
tions (gap fillers), horizontal business solutions, 
and vertical business solutions that are written for 
SharePoint 2007 and SharePoint 2010. What strate¬ 
gy should an enterprise develop to think about how 
to evaluate which applications and solutions would 
be appropriate to help meet the requirements of 
their business? We will review how to ensure that 
governance is maintained when multiple solutions 
are integrated within a SharePoint farm. 

HSCM08: SHAREPOINT SOLUTIONS FOR 
INFORMATION TECHNOLOGY 
PROFESSIONALS 
PAUL SWIDER 

Many IT departments deploy SharePoint for the 
organization and overlook the business value of 
using collaboration internally. In this session, you 
will see examples of no code solutions created in 
SharePoint for IT departments. 


EXCHANGE PRE-CONFERENCE WORKSHOPS 

SUNDAY, MARCH 27, 2011 9AM - 4PM 

EPR01: FILLING IN THE GAPS: EXCHANGE SERVER 2010 SP1 IN-DEPTH 

(HANDS-ON WORKSHOP) 

PETER O'DOWD & TOM PHILLIPS 

Take this one day hands-on workshop to elevate your experience with Exchange Server 2010 SP1. In this 
workshop you'll be instructed by Wadeware Exchange gurus Peter O'Dowd (MVP) and Tom Phillips on the 
specifics of several key features of Exchange Server 2010 SP1. In this information-packed day you'll use 
a Hyper-V laptop provided by Microsoft to walk through several hands-on labs developed by Wadeware. 

• Module 1: Exchange Server 2010 SP1 Overview 

• Module 2: Exchange Server SP1 2010 Client Access (LAB: Client Access lab, including Mail-tips, 
Outlook Web App and OWA Themes, Personal Archive, External Calendar Sharing) 

• Module 3: Exchange Server 2010 SP1 Information Leakage Protection and Control (LAB: 
Information Leakage Protection and Control, Litigation Hold, EDiscovery Preview Feature) 

• Module 4: Exchange Server 2010 SP1 Management Tools & Role Based Access Control (LAB: 
Exchange Server 2010 SP1 Management Tools & RBAC) 

• Module 5: Exchange Server 2010 SP1 Transport and Routing (LAB: Exchange Server 2010 SP1 
Transport and Routing) 

• Module 6: Exchange Server 2010 SP1 High Availability (LAB: Exchange Server 2010 SP1 High 
Availability) 

EPR02: GET TO KNOW YOUR NEW BEST FRIEND, MICROSOFT LYNC SERVER 2010 

(HANDS-ON WORKSHOP) 

PAUL CHARBENEAU & THOMAS FOREMAN 

Come take a hands-on guided tour of Microsoft Lync Server 2010 and see for yourself how Lync Server 
works to change communication within your organization. Much, much more than Instant Messaging, 
Lync Server provides IM, web conferencing, and Voice over IP solutions that allow you to increase your 
company's overall efficiency. In this information-packed day, you'll use a Hyper-V laptop provided by 
Microsoft to walk through several hands-on labs developed by Wadeware with OCS experts Thomas 
Eoreman and Paul Charbeneau. 

• Module 1: Lync Server 2010 Overview. 

• Module 2: Lync Server 2010 Architecture, Planning and Deployment (LAB: The new management 
tools of Microsoft Lync Server 2010) 

• Module 3: Lync Server 2010 Presence (LAB: The Microsoft Lync 2010 Unified Client) 

• Module 4: Lync Server 2010 Voice Features (LAB: Microsoft Lync Server 2010 Enterprise Voice con¬ 
figuration) 

• Module 5: Exchange 2010 SP1 Unified Messaging and Lync Server 2010 Integration (LAB: 
Configuring Exchange 2010 SP1 Unified Messaging and Lync Server 2010 integration) 

• Module 6: Lync Server 2010 New Features (LAB: The Call Park Services and the new features of 
Lync Server 2010) 

Space is limited, so sign up now! 


WINDOWS PRE-CONFERENCE WORKSHOPS 

SUNDAY, MARCH 27, 2011 9AM - 12PM 

WPR01: AUTOMATING ACTIVE DIRECTORY ADMINISTRATION 

MARK MINASI 

Still administering your Active Directory the repetitive, click-and drag way? Lighten your workload with 
Windows Server 2008 R2's new PowerShell cmdlets. With these new cmdlets, you can often convert a 
task that once required a few hundred clicks-or two days of VBScripting-into just a few commands. 
What's that you say? You don't know PowerShell? No need to worry, as this workshop tosses in enough 
PowerShell basics to enable anyone comfortable with Active Directory to get productive with the AD 
PoSH cmdlets in no time. What's that you say? PowerShell doesn't look that exciting and so you're going 
to skip it? Well, if you do that, you'll miss out on a couple of R2's coolest new AD features, the AD Recycle 
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WORKSHOPS 


Bin and managed service accounts, both of which are basically impossible to use 
without some PowerShell. Look, when it comes to PowerShell, resistance is futile, 
so why not let veteran AD expert and explainer extraordinaire Mark Minasi take 
you on an easy-to-follow trip through R2's new cmdlets? We guarantee that every 
attendee will scratch his or her head and say, "Hey, I could use that!" at least once! 

SUNDAY, MARCH 27, 2011 1PM - 4PM 

WPR02: GROUP POLICY FUNDAMENTALS, SECURITY, AND CONTROL 

JEREMY MOSKOWITZ 

Group Policy is the most efficient way to manage desktops in a Windows envi¬ 
ronment. If you are still running to machines to install and configure desktops, 
you are not taking full advantage of the power of Group Policy. In this practical 
workshop, Jeremy Moskowitz will help you gain control of your environment 
and get your life back. This is the perfect workshop to take before doing "deep 
dives" into the main sessions of the conference. You'll get a little bit of every¬ 
thing: deployment, configuration, control, and security! We'll warm up with 
some Group Policy basics. Jeremy will show you how to manage your environ¬ 
ment with GPOs, understand the differences between Group Policy and Group 
Policy Preferences, and show you the ropes of ADM and ADMX files. You'll get 
some "solid base hits" to ensure you can go back to work with some good ideas 
you can immediately put to use. For instance, learn how to zap printers down to 
your computers, and remotely deploy software to your users' desktops, and 
learn how to use Group Policy to secure collections of machines and lock down 
hardware. We'll examine how Group Policy can do the heavy lifting to the jobs 
you want to do! This session has both XP and Windows 7 content. 

SUNDAY, MARCH 27, 2011 9AM - 4PM 

WPR03: WINDOWS 7 DEPLOYMENT MASTER CLASS 

RHONDA LAYFIELD 

Learning Windows Deployment Tools can be quite a daunting task-where do you 
start and which one do you use? Windows Automated Installation Kit for 
Windows 7 (WAIK), Windows Deployment Service (WDS), Microsoft Deployment 
Toolkit 2010 Update 1 (MDT) or System Center Configuration Manager (SCCM)? 
The last thing you want to do is waste time learning a tool that's not right for 
you or your environment. Let Setup and Deployment MVP and Desktop 
Deployment Product Specialist Rhonda Layfield help you figure out which tool 
is right for you. In this full day deployment workshop, you'll learn how create, 
deploy and manage your images using the Windows Automated Installation Kit 
for Windows 7 (ImageX, DISM, CopyPE, OSCDImg, USMT 4.0). Perform bare metal 
installations using WDS-learn to install, configure and troubleshoot WDS. 
Migrate your XP machines to Windows 7 using the MDT 2010 Update 1. Then 
there's the golden tool-SCCM-which allows you to perform zero touch installa¬ 
tions. More importantly, learn the differences between these tools so you can 
make your deployment solution work for you. 


SHAREPOINT PRE-CONFERENCE WORKSHOPS 

SUNDAY, MARCH 27, 2011 9AM - 4PM 

HPR01: SHAREPOINT 2010 PROFESSIONAL DEVELOPMENT 

ROBERT L. BOGUE & ERIC SCHUPPS 

Go to www.devconnections.com for complete abstract. 

HPR02: DAN HOLME'S SHAREPOINT COLLABORATION MASTERCLASS 

DAN HOLME 

Go to www.devconnections.com for complete abstract. 


EXCHANGE POST-CONFERENCE WORKSHOPS 

THURSDAY, MARCH 31, 2011 9AM - 4PM 

EPS01: COLLABORATION USING SHAREPOINT 2010, EXCHANGE 
SERVER 2010 SP1, AND LYNC SERVER 2010 (HANDS-ON WORKSHOP) 
PETER O'DOWD & PAUL CHARBENEAU 

With your head packed full of valuable information from a week of UC sessions, 
put it all together in this one-day workshop that shows how to integrate Exchange 
Server 2010, Lync Server 2010, and SharePoint Server 2010. This instructor led 
hands-on-lab experience will get you deep into Exchange and guide you through 
these features, showing you how they are configured and how they can be used 
to improve your organization's Unified Communications platform. 

• Module 1: Overview of SharePoint 2010 Integration Features (LAB: Using 
My Site and Office Web App for SharePoint) 

• Module 2: Integrating SharePoint with Exchange Server 2010 SP1 (LAB: 
Integrating SharePoint with Outlook and Exchange Server 2010 SP1) 

• Module 3: Integrating SharePoint Workspaces with Outlook and Exchange 
Server 2010 SP1 (LAB: Integrating SharePoint Workspaces with Outlook 
and Exchange Server 2010 SP1) 

• Module 4: Integrating SharePoint with Lync Server 2010 (LAB: Integrating 
SharePoint with Lync Server 2010 and Active Feed) 

• Module 5: Integrating Exchange and Lync Server 2010 (LAB: Integrating 
Exchange OWA and Lync Server) 

No need to bring your laptop, hardware will be provided by Microsoft for this 
event. Space is limited, so sign up now! 


WINDOWS POST-CONFERENCE WORKSHOP 

THURSDAY, MARCH 31, 2011 9AM - 12PM 

WPS01: MIGRATING AND RESTRUCTURING YOUR AD 

J. PETER BRUZZESE 

Support for Windows 2000 ended mid-2010 and the result is an overwhelming 
number of IT shops looking to migrate their existing domain infrastructure over 
to Server 2008/2008 R2. In addition, many are in need of a major restructuring 
of their forests because they were initially created with a domain overkill 
approach due to the constraints of legacy AD versions. In this workshop we will 
begin by walking through several tools to aid you with the migration/restruc¬ 
ture and then focus on the one with the best price tag, the Active Directory 
Migration Tool (ADMT), which is free incidentally. Using a huge case study which 
included a migration of 65,000 users and computers from 65 locations and 65 
different forests into a single forest with 20 domains, we will discuss all the 
planning necessities, caveats to avoid, and all of the key focus points to ensure 
your migration goes smoothly. 


SHAREPOINT POST-CONFERENCE WORKSHOPS 

THURSDAY, MARCH 31, 2011 9AM - 4PM 

HPS01: BUSINESS CONNECTIVITY DEEP DIVE 

SCOT HILLIER & TODD BAGINSKI 

Go to www.devconnections.com for complete abstract. 

HPS02: ORGANIZING INFORMATION IN SHAREPOINT SERVER 2010 

BILL ENGLISH 

Go to www.devconnections.com for complete abstract. 


NOTE: LUNCH IS INCLUDED WITH FULL DAY WORKSHOPS. THE COST OF A WORKSHOP IS IN ADDITION TO THE REGULAR CONFERENCE FEE 
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Check Web site for Microsoft and additional speakers. 


A UNIQUE OPPORTUNITY TO GET YOUR TECHNOLOGY AND TRAINING FROM MICROSOFT AND INDUSTRY EXPERTS! 
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HOTEL INFORMATION 



JW Marriott Orlando Grande Lakes 
4040 Central Florida Parkway 
Orlando, FL 32837 


TAX DEDUCTION 

Your attendance to the conference 
may be tax deductible. 

Visit www.irs.ustreas.gov. Look for 
topic 513 - Educational Expenses. You 
may be able to deduct the conference 
fee if you undertake to (1) maintain or 
improve skills required in your present 
job; (2) fulfill an employment condition 
mandated by your employer to keep 
your salary, status, or job. 

GROUP DISCOUNT 


Join us! 

JW Marriott Orlando Grande Lakes 

The JW Marriott Orlando, Grande Lakes provides all of the comfort and 
variety you could imagine. From the moment you are welcomed by our 
signature Spanish fountain, you'll know that you have found one of the 
most prestigious hotels in Orlando, Florida. Conveniently located near 
Universal Orlando®, SeaWorld®, and Walt Disney World® and other exciting 
local attractions, our hotel transports guests to a place of unsurpassed 
serenity and beauty, including: 

• Access to The Ritz-Carlton Golf Club and Spa 

• Lazy River outdoor heated pool 

Space is limited so reserve your room early by calling the conference hotline. 
Call the conference hotline at 800-438-6720 or 203-400-6121 to reserve your 
rooms today! 

The special conference rate will be honored starting two days before the start 
of conference through two days after the end of the conference, based upon 
availability. Space is limited so reserve your room early by calling the 
conference hotline at 800-438-6720 or 203-400-6121. All reservations must 
be guaranteed with a major credit card to confirm room. 

Parking at the hotel: Daily Self-parking is $17.04 and daily valet parking is 
$23.43 (subject to change) 

AIRLINE 

Please call Pericas Travel at 203-562-6668 for airline reservations. 

AIRLINE SHUTTLE 

Mears Transportation is the designated ground carrier at Orlando 
International Airport. The shuttle maybe picked up at Level 1 of the airport. 
Visit www.mearstransportation.com for reservations. Rates: $19.00 one-way 
and $30.00 roundtrip (subject to change) 


Register individuals from one 
company at the same time and 
receive a group discount. 


1-3 registrants 

$1,595 per person 

Additional registrants 
after the 3rd 

(4th, 5th, 6th...) 

$1,395 per person 

($200 off each) 


Call 800-438-6720 to take advantage 
of group discount pricing. 


CAR RENTAL 

Hertz is offering auto rental discounts to attendees. See Web site for details. 

ATTIRE 

The recommended dress for the conference is casual and comfortable. 
Please bring along a sweater or jacket, as the ballrooms can get cool with 
the hotel's air conditioning. 

Sponsorship/exhibit information For sponsorship information, 
contact Rod Dunlap 480-917-3527 or rod@devconnections.com 
See Web site for more details: www.WinConnections.com 


Notes & Policies: The Conference Producers reserve the right to cancel the conference by refunding the registration fee. Producers can substitute speakers and topics and cancel sessions without no¬ 
tice or obligation. Updates will be posted on our Web site at www.DevConnections.com. Tape recording, photography is not allowed at any session. Conference producers will be taking candid pic¬ 
tures of events and reserve the right to reproduce. By attending this conference you agree to this policy. You may transfer this registration to a colleague by notifying us before the start of the event. 
Please inform us if you have any special needs or dietary restrictions when you register. The conference registration includes the following subscriptions. This is not an additional expense and sub¬ 
traction from prices listed is not permissible. Exchange and Windows Connections registration includes a one-year (12 issues) print subscription to Windows IT Pro magazine for Exchange and Win¬ 
dows conference attendees only. Current subscribers will have an additional 12-months added to their subscription. Subscriptions outside of the United States will be served in digital; $12.50 of the 
funds will be allocated toward a subscription to Windows IT Pro ($49.95 value). SharePoint Connections registration includes a print subscription (4 issues; March, June, Sept, Nov) to SharePoint- 
ProConnections magazine for SharePoint and Windows conference attendees only. Current subscribers will have an additional one year (4 issues) added to their subscription. Subscriptions outside 
of the United States will be served in digital. 

Exhibitors and Sponsors are not eligible for special attendee promotions including (but not limited to): free hotel nights, hotel gift certificates and registration giveaways. 

Registration & Cancellation Policy: Registrations are not confirmed until payment is received. Cancellations before February 25,2011 must be received in writing and will be refunded minus a 
$100 processing fee. After February 25,2011 cancellations and no shows are liable for full registration; it can be transferred to the next conference within 12 months or to another person. Microsoft, 
Microsoft .NET, ASP.NET, Visual Studio.NET, Microsoft SQL Server, Exchange and Windows are either trademarks or registered trademarks of Microsoft Corporation. All other trademarks are property 
of their owners. 
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CONFERENCE REGISTRATION • MARCH 27-30, 2011 


FULL CONFERENCE REGISTRATION INCLUDES KEYNOTE ON MARCH 27, 2011 
THROUGH CLOSING SESSION MARCH 30TH, 4:30PM 


NAME 

PRIORITY CODE 

COMPANY 

TITLE 

STREET ADDRESS (REQUIRED TO SHIP MATERIALS) 

CITY, STATE, POSTAL CODE 

COUNTRY 

TELEPHONE FAX 

E-MAIL ADDRESS (IMPORTANT) 


ONLINE: www.WinConnections.com 
E-MAIL: info@WinConnections.com 
PHONE: (800)438-6720 
(203) 400-6121 
FAX: (913)514-9362 
MAIL: 

Penton Media 
731 Main Street Ste C3 
Monroe CT 06468 


□ Microsoft Exchange Connections 

□ Windows Connections 

□ SharePoint Connections 

On or Before February 1st, 2011.$1495 

After February 1st, 2011.$1595 

FOR WHICH CONFERENCE ARE YOU REGISTERING? 


PRE-CONFERENCE WORKSHOPS Sunday, march 27,2011 lunch is included with full day workshops. 


□ 

□ 

□ 

□ 

□ 

□ 

□ 


EPR01: FILLING IN THE GAPS: EXCHANGE SERVER 2010 SP1 IN-DEPTH 

(HANDS-ON WORKSHOP) o'dowd & Phillips. 

EPR02: GET TO KNOW YOUR NEW BEST FRIEND, MICROSOFT LYNC SERVER 2010 

(HANDS-ON WORKSHOP) charbeneau & foreman. 

WPR01: AUTOMATING ACTIVE DIRECTORY ADMINISTRATION minasi. 

WPR02: GROUP POLICY FUNDAMENTALS, SECURITY, AND CONTROL moskowitz. 

WPR03: WINDOWS 7 DEPLOYMENT MASTER CLASS layfield. 

HPR01: SHAREPOINT 2010 PROFESSIONAL DEVELOPMENT bogue&schupps. 

HPR02: DAN HOLME'S SHAREPOINT COLLABORATION MASTERCLASS holme. 


9AM-4PM 

.$425 

9AM-4PM 

.$425 

..9AM -12PM 

.$199 

..1PM - 4PM 

.$199 

..9AM-4PM 

.$399 

..9AM - 4PM 

.$399 

..9AM - 4PM 

.$399 


POST-CONFERENCE WORKSHOPS Thursday, march 31,2011 lunch is included with full day workshops. 

□ EPS01: COLLABORATION USING SHAREPOINT 2010, EXCHANGE SERVER 2010 SP1, AND LYNC SERVER 2010 

(HANDS-ON WORKSHOP) o'dowd & charbeneau. 9am - 4pm .$425 

□ WPS01: MIGRATING AND RESTRUCTURING YOUR AD bruzzese.9AM-12PM $199 

□ HPS01: BUSINESS CONNECTIVITY DEEP DIVE hillier&baginski.9AM-4PM $399 

□ HPS02: ORGANIZING INFORMATION IN SHAREPOINT SERVER 2010 English.9AM-4PM $399 


CONFERENCE MATERIALS 

FULL CONFERENCE REGISTRATION INCLUDES MATERIALS FOR THE CONFERENCE FOR WHICH YOU REGISTER; YOU MAY PURCHASE MATERIALS FOR THE OTHER CONCURRENTLY RUN EVENTS. 


□ Microsoft Exchange Connections Conference CD. $75 

□ Windows Connections Conference CD. $75 

□ SharePoint Connections Conference CD. $75 


TOTAL 


□ CHECKS (payable to Penton Media)) All payments must be in US Currency. Checks must be drawn on a US bank. 

□ CREDIT CARD □ VISA □ MASTERCARD □ AMEX 
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ASK THE EXPERTS ■ 


Q: How can I test if my applica¬ 
tion will work on Windows 7 as 
a standard user instead of as an 
administrator? 

A! Microsoft provides an Applica- 
tion Compatibility Toolkit that includes 
several tools, including the Standard User 
Analyzer. SUA lets an application launch 
within the SUA environment and removes 
any administrator privileges. You then 
perform actions within the application, 
and if items fail because you don't have 
sufficient permissions without adminis¬ 
trator privileges, the SUA will track those 
failures. Once you've tried all the actions 
within the application, SUA will generate 
a report of the failures and recommenda¬ 
tions on how to get the application to run 
using various shims, such as file system/ 
registry redirection. You can use the 
Compatibility Administrator to actually 
see all the recommended shims to enable 
the application to correctly run as a non¬ 
administrator. This is a very useful tool 
when you're looking to migrate your appli¬ 
cations to Windows 7 from Windows XP, 
because hopefully you'll be moving from 
having all users as local administrators. 

Once you've installed the Application 
Compatibility Toolkit, you should also 
install the Microsoft Application Verifier 
and then launch SUA. You can select the 
application you want to scan and unselect 
Elevate under the launch options. Then 
launch the application and try all the 
different functions—you want to hit any 
problems so SUA can help find solutions. 
Once you've run the application, you can 
also navigate to various tabs, such as File 
and Registry, to see any problems that 
were found. 

—John Savill 

InstantDoc ID 129220 

Q: I want to start a Windows 
Defender malware and spyware 
scan from a batch file. Does 
Windows Defender come with a 
command-line utility in 
Windows 7? 

A: Yes, Windows Defender includes a 
command-line utility called mpcmdrun 
.exe that you can use to start Defender 
scans from a batch file. The utility is 


located in the %ProgramFiles%\Windows 
Defender folder. Make sure to use an 
administrator-level command prompt 
window for all Mpcmdrun commands. To 
see the available options for the tool, use 
the command 

mpcmdrun.exe -? 

To download the latest Defender signature 
files, use the command 

mpcmdrun -signatureupdate 

To perform a quick Defender scan of your 
system, use 

mpcmdrun -scan -1 

For a full system scan, replace 1 with 2. 
Note that Mpcmdrun will always check 
for signature updates before starting the 
actual scan. 

—Jan De Clercq 

InstantDoc ID 129242 

Q: Is Microsoft Enterprise Desktop 
Virtualization (MED-V) supported 
on Windows XP clients? 

Al MED-V is the component of the Micro- 
soft Desktop Optimization Pack (MDOP) 
that enables centralized management 
of virtual images that are run locally on 
client desktops.These images are used 
for running legacy applications or system 
components on newer desktop OSs. 

For example, it's common to use 
MED-V to manage an XP image. The pro¬ 
cess includes deploying the Virtual Hard 
Disk (VHD), updating the VHD, and setting 
shortcuts on the desktop on a Windows 7 
OS. Inside the XP VM, you'd run applica¬ 
tions that won't run on Windows 7. 

If your organization needs Internet 
Explorer (IE) 6, you could also use MED-V 
to configure URLs that should be redi¬ 
rected to the IE inside the XP image when 
entered by the user. This URL redirection 
means a user doesn't have to select IE 6 
from the XP VM—the MED-V components 
see the URL and automatically redirect it, 
per defined policy. 

The great part of MED-V is that the 
applications running in XP aren't dis¬ 
played on a separate XP desktop—the 


application windows are displayed on the 
main Windows 7 desktop, which means 
the user is unaware of the XP VM and just 
runs applications as usual. 

As I said, the MED-V component is nor¬ 
mally used on Windows 7 (and Windows 
Vista) desktops to deploy and manage an 
XP VM for legacy applications and sites. 
However, MED-V is supported on XP if you 
find that you need that functionality. For 
example, maybe your organization is still 
on XP and has deployed IE 8, but you need 
IE 6 for a particular group of sites. With 
MED-V, you'd have an XP VM containing 
IE 6 that would be used automatically for 
certain URLs. 

For XP support, SP2 or SP3 must be 
installed and you must be using an x86 
architecture. 

—John Savill 

InstantDoc ID 129324 

Q: What's the difference between 
a thick and "eager zeroed" thick 
virtual disk in VMware ESX? 

Al Most of us are familiar with the differ- 
ence between a thin-provisioned virtual 
disk and a thick-provisioned virtual disk. 

A thick disk's blocks are allocated in VMFS 
when the disk is created and a thin disk's 
blocks aren't. Not allocating the blocks 
at creation allows a thin disk to consume 
space as it needs it. 

There is, however, a third type of disk 
provisioning in VMware ESX —eager zeroed 
thick.This disk-provisioning process goes 
a step further than the thick process by 
fully allocating and zeroing out all the data 
inside the disk array at the time the disk is 
provisioned. 

This is an important distinction 
because a regular thick disk will require a 
short pause as its data expands to zero out 
data on the array. This isn't the case in an 
eager zeroed disk, where the space on the 
array has already been provisioned and 
the data zeroed out. 

The difference in performance 
between a thick disk and an eager zeroed 
thick disk is very small, but some applica¬ 
tions, such as Microsoft Cluster Services 
and VMware Fault Tolerance, still require 
eager zeroed thick provisioned disks. 

—Greg Shields 

InstantDoc ID 128999 
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■ ASK THE EXPERTS 


Q: How do I configure flow control 
on VMware ESX/ESXi servers? 

A! VMware knowledgebase article 
1013413 discusses the specifics for setting 
flow control on a VMware ESX or ESXi 
server's physical NICs. Flow control is a 
network configuration that manages the 
rate of data communication between two 
different network interfaces. It's necessary 
to prevent the outbound data from a fast 
sender from overwhelming the interface 
on a slow receiver. 

Flow control is typically configured on 
network equipment, but it can be con¬ 
figured on hosts and storage devices as 
well. Configuring flow control on VMware 
ESX is different depending on the type of 
network card in the server. For example, 
a VMware ESX server with four Intel NICs 
will use the following command to disable 
flow control: 

esxcfg-module -s FlowControl=0,0,0,0 
el000 

In the command above, the four zeros 
separated by commas correspond to 
the four physical adapters in the server. 
Options 1,2, and 3 are also possible, with 
1 corresponding to receive only, 2 to trans¬ 
mit only, and 3 to receive and transmit. 

Broadcom cards use a different com¬ 
mand syntax for configuration, with a 
command similar to the following needing 
to be added to the VMware ESX host's 
rc.local file: 

ethtool -A vmnic# autoneg on rx off 
tx off 

The knowledgebase article provides 
more detail about flow control options. 

Be aware that network problems, such as 
excessive pause frames being transmitted 
across the network, can occur when flow 
control isn't configured properly. 

—Greg Shields 
InstantDoc ID 128998 

Q: Is it true that Windows 7 allows 
20 concurrent connections instead 
of 10? 

A: Yes. Previous versions of Windows 
limited you to five connections if you 


were running Home Basic or 10 connec¬ 
tions for Home Premium or later editions. 
With Windows 7, all editions support 20 
concurrent connections for services such 
as File Services, Print Services, IIS, Internet 
Connection Sharing, and Telephony. 

If you want to confirm this, just run 
the Winver command, click the Microsoft 
Software License Terms link, then scroll 
down to section 3F. 

—John Savill 

InstantDoc ID 129322 

Q: What pre-boot steps are neces¬ 
sary when restoring an Exchange 
Server or Active Directory Domain 
Controller (ADDC) virtual machine 
(VM)? 

At Many virtual-environment backup 
solutions focus heavily on the backup side 
of the process. In fact, the Administrator's 
Guide for one popular solution is over 
2,000 pages long, but dedicates only a 
very small percentage of those pages to 
the actual restore process. 

This lack of detailed guidance can 
cause extra pain when critical VMs are 
down. Two types of VMs in particular 
have special needs that must be handled 
prior to booting them after a restore— 
Exchange servers and ADDCs. 

Microsoft provides very specific guid¬ 
ance that must be followed in the case 
of Exchange servers backed up using an 
image-level solution.That guidance is: 

1. Boot the Exchange VM with its 
mailbox stores dismounted. 

2. Instruct the Exchange VSS Writer to 
perform a restore from an available VSS 
snapshot. 

3. Mount the mailbox stores. 

ADDCs also have an important pre-boot 
requirement. After restoring the VM 
from an image-level backup, the ADDC 
VM must be first booted into Directory 
Services Restore Mode. Not performing 
this step can cause the ADDC to become 
isolated from the rest of the domain. 

While unlikely (due to recent changes in 
AD replication logic), the potential exists 
that it can also create a situation known as 
update sequence number (USN) rollback, 
which can create significant problems with 
data in the AD database. 


While these two steps seem trivial, you 
can miss them during the flurry of activity 
that occurs after a server failure. That's 
why some image-level backup vendors 
now install a temporary agent into the VM 
as it's being backed up.This agent ensures 
that the VM boots up with the proper 
settings (or into the correct mode) after 
restoration, to prevent the restore from 
creating further problems. 

—Greg Shields 

InstantDoc ID 129302 

Q: Can I use the same profile for 
my desktop roaming profile and 
my Terminal Services sessions? 

A: A terminal server can use a specified 
profile for a user's roaming profile, but 
the practice of sharing a profile between 
desktop and Terminal Services sessions is 
highly discouraged because of the risk of 
inconsistencies being introduced—a user 
might be logged onto a client OS access¬ 
ing the roaming profile and also have a 
Terminal Services session using the same 
profile. Whichever session logged off 
last would overwrite any changes made 
by the other session. You could also see 
problems if a client OS profile is loaded 
onto a server OS, depending on the con¬ 
figuration of the profile. 

The best approach is to have two 
separate profiles, a roaming profile for cli¬ 
ent OS logon and a terminal server profile 
for Terminal Services sessions. This is easy 
to configure using the properties of the 
user account via the Profile and Remote 
Desktop Services Profile tabs. 

Remember that if you're using pub¬ 
lished applications through RemoteApp 
or Citrix XenDesktop, which only display 
applications on your local desktop, you're 
still running a complete session on the 
remote server, so you need to be careful 
to use separate profiles. If you actually use 
multipleTerminal Services sessions con¬ 
currently, you need to look at using local 
profiles or mandatory profiles to avoid the 
inconsistency problems associated with 
multiple systems using a profile at the 
same time. You could also think about a 
third-party profile solution that virtualizes 
the entire user profile. 

—John Savill 

InstantDoc ID 129275 
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Q: What's the correct sequence of 
actions to remove an application 
from the Microsoft Application 
Virtualization (App-V) manage¬ 
ment server? 

A: An application in the App-V Manager 
is really present in three places: 

• the App-V content share (which stores 
its actual application content) 

• the package containing the virtualized 
application 

• the entry in the Applications node 

You need to remove it from all three 
places, and you need to do it in the oppo¬ 
site of the order shown above. 

1. Navigate to the Applications node in 
the Application Virtualization Management 
Console and delete the application. 

2. Navigate to the Packages node 
and delete the package containing the 
application. 

3. Open Explorer and navigate to the 
content share. The default location is C:\ 
Program Files (x86)\Microsoft System 
Center App Virt Management ServerXApp 
Virt Management Server\content. Delete 
the folder for the virtualized application 
you've removed. 

As a final step, ideally you'd remove the 
application from your local computers' 
caches, but you'd need to do this using a 
script—it's not possible using the App-V 
management console. 

—John Savill 

InstantDoc ID 129184 

Q: What protocols are used for 
BranchCache clients? 

Al BranchCache is a great feature and has 
minimal port requirements. In distrib¬ 
uted mode, clients use WS-Discovery to 
discover cached content and then HTTP 
to transfer data between clients. In hosted 
mode, clients communicate directly to a 
local BranchCache server, so there's no 
discovery required. Again, clients use HTTP 
to retrieve content from the configured 
BranchCache server. When clients have 
content to offer to the BranchCache server 
for storage, they use HTTPS to communi¬ 
cate with the server. 

The protocols used are, therefore: 


• HTTP (port 80) for content retrieval 
using BranchCache retrieval protocol. 

• WS-Discovery (port 3702 UDP) for 
content discovery in distributed cache 
mode. 

• HTTPS (port 443) for content upload in 
hosted cache mode using hosted cache 
protocol. 

—John Savill 

InstantDoc ID 129271 

Q: How do I give administrators at 
specific locations the ability to see 
inventory information and man¬ 
age machines using System Center 
Configuration Manager (SCCM) only 
for machines at their locations? 

At The best way to give granular manage- 
ment to specific users for machines at 
specific locations is to create collections 
that contain the machines at that location 
and use SCCM Security Rights to grant 
local administrators management rights 
over specific collection instances.This will 
give them full control over the machines 
in the collection without rights over any 
other machines. 

You can create the collections using 
direct membership rules, where you just 
place the computers into the collection. 
You can also use a dynamic collection 
based on rules, such as IP subnet or AD 
sites, to automatically place machines into 
the right collection. 

—John Savill 

InstantDoc ID 129269 

Q: What is strict KDC validation? 

A: Strict KDC validation makes smart card 
logons in a Windows AD environment 
more secure and makes the authentication 
validation logic more resistant to certain 
attacks. If you have many smart card users, 

I strongly advise you to enable this feature. 

Strict KDC validation isn't enabled by 
default. You can enable it using the Require 
strict KDC validation Group Policy Object 
(GPO) setting, which is located in the 
Computer Configuration\Administrative 
Templates\System\Kerberos Policy GPO 
container. Strict KDC validation is only 
supported on Windows 7, Windows Server 
2008, Windows Server 2008 R2, Windows 
Vista Service Pack 1 (SP1), and later OSs. 


Strict KDC validation enables a more 
restrictive set of criteria that must be met by 
a Windows Kerberos Key Distribution Center 
(KDC) for successful smart card-based user 
authentication.The KDC is the Kerberos 
authentication service that's part of every 
AD domain controller (DC). A Windows cli¬ 
ent that has the strict KDC validation setting 
enabled will validate the certificate-based 
Kerberos authentication messages it gets 
from a DC by checking that all of the follow¬ 
ing conditions are met: 

• The DC has a private key that 
corresponds to the KDC certificate. 

• For domain joined-systems, the CA that 
issued the KDC certificate is contained in 
the AD NTAuth store. 

• For non-domain-joined systems, the 
root CA of the KDC certificate is either 
in the Third-Party Root Certification 
Authorities or in the Smart Card Trusted 
Roots containers of the Windows client's 
certificate store (accessible from the 
MMC Certificates snap-in). 

• The KDC certificate has the KDC 
Authentication entry in the Extended 
Key Usage (EKU) X.509 extension. 

• The KDC certificate's SubjectAltName 
(SAN) X.509 extension contains the 
domain's DNS (FQDN) and NetBIOS 
names. 

• The KDC certificate's DNSName field 
of the SubjectAltName (SAN) X.509 
extension matches the domain's DNS 
name (FQDN). 

When you plan to use strict KDC validation, 
it's important that all your DCs have a cor¬ 
rect KDC server certificate that adheres to 
the last three conditions in the list above. 
You can create a valid DC certificate using 
the new certificate template Kerberos 
Authentication that Microsoft includes 
in Server 2008. Certificates created from 
this template have the proper KDC EKU 
and SAN certificate extensions. The older 
Domain Controller and Domain Controller 
Authentication certificate templates don't 
contain the correct extensions and will fail 
the strict KDC validation checks. 

More information on strict KDC 
validation can be found in the Microsoft 
document"Enabling Strict KDC Validation 
in Windows Kerberos," bit.ly/idTpvM. ^ 
—Jan De Clercq 
InstantDoc ID 129239 
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Sandboxed Solutions 


Keep your farm 
healthy with 
this new feature 

by Randy Williams 


W ith all the publicity surrounding SharePoint 2010 ; s new features, there's an 
important feature that's often undersold: sandboxed solutions. Sandboxed solu¬ 
tions, sometimes called user solutions, are a big deal, especially for SharePoint 
administrators. Put simply, they allow custom enhancements to be easily and 
safely deployed into your SharePoint environment. In this article, I'll explain what 
sandboxed solutions are, help you recognize their advantages and disadvantages, 
and make sure you understand howto deploy and manage them. Before I get too far, though, I'll clarify 
what a solution is in the context of SharePoint. 

In addition to being a powerful product, SharePoint is also platform where custom applications 
can be developed to make SharePoint a better fit for specific needs. For example, you can develop new 
web parts, workflow, master pages, and many other customizations. The term solution, in this context, 
refers to the packaging of these customizations into something called a solution package or WSP. 

Solution packages were introduced in SharePoint 2007 and are the preferred way of packaging 
and deploying all types of custom code enhancements. Traditional solution packages from previ¬ 
ous versions are now called farm solutions, because they're added into the farm. Farm solutions are 
deployed into the file system of your SharePoint web servers. Sandboxed solutions are also based on 
WSP packages, but are deployed into a site collection and are executed very differently. 


Advantages and Drawbacks 

The biggest problem with SharePoint's custom enhancements is the support burden they add. Custom 
code is the number one root cause for SharePoint support problems, and when it causes problems, 
it's usually the SharePoint administrator who's implicated, not the developer. A troublesome web 
part, for example, can crash pages where it's used, and depending on the severity, can take down 
an application pool and the web application with it. Sandboxed solutions, conversely, aren't able to 
destabilize the farm. 

Another advantage of sandboxed solutions is their ease of deployment. The SharePoint farm 
administrator should first review and then must deploy farm solutions. There's not much guidance 
out there on how to review, and it really boils down to whether the solution is trusted or not. With 
sandboxed solutions, there's no need for a review. They're simply uploaded and deployed at the site 
collection level, which gives you the option of empowering site collection administrators with this 
responsibility. This is better for admins and better for business. 

If your SharePoint system is hosted in the cloud, such as with SharePoint Online, you're prob¬ 
ably not able to take advantage of farm solutions. Sandboxed solutions, because they're safe, can be 
deployed and used in both hosted and on-premise installations. 

There are some limitations to sandboxed solutions, however. Safety features restrict the types 
of customizations that can be deployed as sandboxed solutions. There are two main ways that 
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SANDBOXED SOLUTIONS ■ 


sandboxed solutions are controlled: a code 
access security (CAS) policy and a subset 
of SharePoint API calls that aren't allowed. 
For example, a custom workflow developed 
with Visual Studio can't be deployed as a 
sandboxed solution. To ensure its safety, all 
code originating from sandboxed solutions 
is restricted from performing functions 
outside the sandbox. This includes access¬ 
ing the file system, registry, and network 
resources. So there's no calling into exter¬ 
nal web services or accessing your ERP 
databases. 

Some developers will lament these lim¬ 
itations, saying they're too restrictive. As a 
developer myself, I understand. Sandboxed 
solutions won't be the way to deploy all 
forms of custom code, but they're certainly 
valid for a percentage of them. For orga¬ 
nizations with hosted SharePoint, these 
solutions bring a much welcomed degree 
of flexibility. Also, sandboxed solutions 
support calling into separate, trusted code 
running outside the sandbox. This is called 
full-trust proxy and is a way of working 
around these limitations. 

Running Code 

Code that's contained within a sandboxed 
solution is run differently than out-of- 
the-box code or code in a farm solution. 
For code not using this full-trust proxy, 
there are two processes that are used. 
Figure 1 depicts how this works at a high 
level. Let's say that a user requests a page 
that's running a custom web part that's 
deployed inside a sandboxed solution. As 
with all browser requests, the Web Front 
End (WFE) running Microsoft IIS receives 
it first. A part of the IIS worker process 
(W3WP.exe), called the Execution Man¬ 
ager, recognizes this as a special request 
and issues its own request to the sandbox 
service (SPUCHostService.exe) that may be 
running on a different server (which I call a 
sandbox host). The sandboxed service will 
then create a new worker process (SPUC- 
WorkerProcess.exe), if needed, to execute 
the request. This worker process will first 
verify the code to ensure it is allowed and 
will then execute it, returning the output 
to the WFE. 

This design provides many bene¬ 
fits. One is that you can have multiple 
sandbox host servers that can execute 
requests, giving you fault tolerance and 


scalability. Another is that if the custom 
code uses resources such as CPU or RAM 
heavily, it won't slow down your WFE 
servers. You also have other options such 
as monitoring and throttling usage which 
is covered later. 

Allowing Sandboxed Solutions 

Before you can run sandboxed solutions, 
you must enable them by starting the 
Microsoft SharePoint Foundation Sand¬ 
boxed Code Service. You can do this from 
Central Administration, System Settings, 
Manage services on server. Starting this 
service on a server in the farm makes the 
server a sandbox host. 

You can, optionally, define how your 
sandbox requests are load balanced. The 
setting is located in Central Administration, 
System Settings, Manage user solutions. 
One option is to run the sandboxed code 
on the same WFE that received the browser 
request. The code will still run in separate 
processes, as shown in Figure 1, but the 
WFE won't send the request to a different 
server. This option is a faster, but requires 
that you run the sandboxed code service on 
each WFE server—in other words, all your 
WFE servers are also sandbox host servers. 
This option is best if you have a small farm 
or don't use many sandboxed solutions. 

The other option, which is the default, is 
to route the request from the WFE to one of 
the sandbox host servers. Doing it this way 
allows you to distribute the requests across 
as many servers as you need. You define 
the servers by starting the sandboxed code 
service on them. These servers can be WFE 
servers or other application servers in your 
farm. This option is best if you want more 
control over where the code runs, if you 


have many sandboxed solutions, or if the 
code is resource heavy. 

Deploying Sandboxed Solutions 

Deploying sandboxed solutions is very easy 
and anyone who is a site collection admin¬ 
istrator can do it. There are two steps. First, 
upload a WSP solution in the Solutions 
gallery that's part of each site collection. 
You can access this gallery by going to Site 
Settings, Solutions from the top-level web 
site in a site collection. Farm administra¬ 
tors can also do it by running the Add- 
SPUserSolution PowerShell cmdlet from 
the SharePoint 2010 Management Shell. 

Once the solution is uploaded, you 
need to activate it, which is done from the 
same screen. Activating a solution unpacks 
the WSP and makes the solution available 
to users in the site collection. To do this 
from PowerShell, use the Install-SPUser- 
Solution cmdlet. Note that members of the 
owner group can upload WSP solutions, 
but only site collection administrators can 
activate them. 

In addition to uploading sandboxed 
solutions, you can browse an online gallery 
of them from Microsoft. The concept is just 
like that of Apple's App Store. At the time 
of this writing, there are no solutions avail¬ 
able, but this will soon change. Expect this 
to become a common way to search and 
download SharePoint enhancements. 

Monitoring Sandboxed Solutions 

To prevent sandboxed solutions from over¬ 
using system resources, you can monitor 
and set resource quotas. The quota is set 
the site collection as whole, not on indi¬ 
vidual solutions. In Central Administration, 
go to Application Management, Configure 



Figure 1: Running a sandboxed request 
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Sandboxed Solutions Resource Quota: 

Limit maximum usage |- 

per day to: * 

w Send warning e- _ 

mail when usage per I 
day reaches: 

Current usage (today) 

Average usage (last 
14 days) 


300 points 


100 points 

0 points 
266.632 points 


Figure 2: Setting a sandboxed solution quota 


Your resource quota is 300 server resources. Solutions can consume resources and may be temporarily disabled 
if your resource usage exceeds your quota. 
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Figure 3: Resource Usage 


quotas and locks and you'll see this setting 
near the bottom of the screen, as Figure 2 
shows. 

Once you've seen the figure, I'm sure 
you'll wonder what the display means by 
300 points. SharePoint tracks resource 
usage based on CPU and RAM usage, 
number of SharePoint queries, number 
of exceptions, and some other factors. In 
total, it takes 14 different measurements, 
and each measurement's resource usage 
is converted into a point score. Each solu¬ 
tion's point score is tracked separately, 
and the sum total for all solutions in a site 
collection count against the site collec¬ 
tion's quota. 

By default, the resource quota is 300 
points for all sandboxed solutions in a site 
collection. Whether this is too much of too 
little will require some benchmarking with 
the solutions you use, but it should be a 
good starting number. 

In addition to the window Figure 2 
shows, you can use the following Power- 
Shell script to adjust the resource quota for 
a site collection: 

$site = Get-SPSite "http://siteurl" 
$site.Quota.UserCodeWarningLevel = 200 
$site.Quota.UserCodeMaximumLevel = 400 

Using PowerShell, you can also adjust how 
these points are calculated. For example, if 
you have plenty of processing power, you 
can make CPU operations less expensive. 
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To see the complete list of all 14 counters 
and how points are calculated for each one, 
run this PowerShell command: 

[Microsoft.SharePoint.Admini strati on 
.SPUserCodeService]::Local 
.ResourceMeasures | Select Name, 
ResourcesPerPoint 

For space reasons, I won't print them all 
and will just introduce on one of them, 
CPUExecutionTime. Its default value is 200 
resources per point. To make CPU execu¬ 
tion time "less expensive," just increase this 
number. Use this script: 

$cpu2=[Microsoft.SharePoint 
.Administration 
.SPUserCodeService]::Local 
.ResourceMeasures | where {$_.Name 
-eq "CPUExecutionTime"} 

$cpu2.ResourcesPerPoint = 400 
$cpu2 .UpdateO 

With this setting, 400 units of CPUExecu¬ 
tionTime equals one point. Similarly, to 
make CPUExecutionTime more expensive, 
use a smaller number. My advice is to not 
change these arbitrarily and only if neces¬ 
sary. Please note that these calculation 
rules are set at the farm level, so changes 
you make apply to all solutions in all site 
collections. 

From the Solutions gallery where you 
add and activate a solution, you can also 


see current usage statistics for the currently 
activated solutions, as Figure 3 shows. 
Again, these are metered and count against 
the site collection quota that has been 
established. The current usage is the usage 
sum of all activated solutions. 

By default, these resource points are 
recalculated every 15 minutes and get reset 
daily. Once the quota has been reached, 
no code from within any sandboxed solu¬ 
tion can be run until a daily timer job runs 
which resets the value for the next day. 
Unfortunately, there's no way to reset usage 
for a single day for a single site collection. 

Other Options 

In addition to monitoring, you can com¬ 
pletely block certain solutions. This is 
useful if you encounter a solution that just 
causes too many problems. You can upload 
the WSP package, and SharePoint will 
prevent anyone from uploading it to any 
site collection. This is done from the same 
screen where you set the load balancing 
settings (Central Administration, System 
Settings, Manage user solutions). 

You can also block solutions based on 
certain characteristics found in packages 
or code. This requires a developer to write 
the validation logic, but gives you precise 
control over which types of solutions 
you want to allow run in your farm. For 
example, you may want to block solutions 
that use event receivers. 

Now you've learned what sandboxed 
solutions are, how they differ from tra¬ 
ditional farm solutions, and how to add, 
deploy, and monitor their usage. While it's 
too early to say for certain, knowing the pop¬ 
ularity of SharePoint, the need to customize, 
and the inevitable movement towards the 
cloud, I predict these will become a big deal 
as SharePoint 2010 matures. If nothing else, 
they'll ease the cost and burden of main¬ 
taining a SharePoint 2010 investment, and 
that's better for all. ^ 
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Value for Admins 


An interview 
with Microsoft's 
Eric Swift 



caught up with Eric Swift, general manager of SharePoint product management at Microsoft, 
for an exclusive interview on SharePoint 2010—the value for admins, customer reaction to the 
product, and what the road ahead looks like. 

Molnar: You're relatively new in your role on the SharePoint team. Can you tell us a little about 
yourself? 


by Sheila Molnar 


Swift: I started my career working in data warehousing and sales force automation, and I worked on 
integration software. I jumped at an opportunity to move to Microsoft and started on the e-business 
server team: BizTalk Server, Commerce Server, and Content Management Server, at that time. I worked 
closely with the SharePoint team because Content Management Server moved over to the SharePoint 
side. We strategized about how the SharePoint offering would cover both internal collaborative apps 
and intranet sites in addition to external dotcom sites and extranet sites. Then I moved to Unified 
Communications and worked on Communications Server and Exchange Server. In February of 2010, 
I was asked to come back over to SharePoint. 


Molnar: Tell me how SharePoint 2010 is doing in the marketplace. 



Photo credit: Jim Molnar (jimolnar@msn.com) 


Swift: The SharePoint Conference [October 2009] where we first made the disclosure was a tremen¬ 
dous success. That took us by surprise. We knew it was going to be a great product, but we had no 
idea how much interest and enthusiasm there would be in the marketplace. There were a tremendous 
number of early adopters and customers who put the product in production—doing everything from 
the core workloads for their content management portals and dotcom sites to building innovative 
collaborative apps on top of them. So when we released the product, we had a tremendous amount 
of customer and partner evidence about people who were using the 
product. 

I Molnar: Folks in the SharePoint vendor ecosystem are telling me their 
research indicates a wave of SharePoint 2010 uptake coming in 2011. Are 
you seeing a wave coming? 

Swift: Definitely. We have a tremendous amount of customers who 
have licensed the product and deployed it for just the base workloads— 
. document sharing and storage. Now we're seeing a couple of different 
^ areas of growth. New customers are joining every day, but also those 
who have purchased the product already and who have deployed it for 
i those base workloads are building more collaborative applications on top 
t of the platform. SharePoint is moving beyond being just a place to store 
^ your documents and collaborate, to a place where you can add docu¬ 
ment workflow, collaborative workflow, and connectivity in the back-end 
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systems—everything from dashboards to 
extended search capabilities across Share - 
Point information or corporate file shares, 
line of business (LOB) data, and business 
intelligence (BI) applications. 

Molnar: Are you seeing a lot of interest in 
migration from WSS or MOSS? 

Swift: Yes, definitely. We worked hard to 
make sure that we had the right migration 
tools, and a good documentation experi¬ 
ence, so that organizations move there as 
effectively as possible. We gave guidance 
early on about what you can do to opti¬ 
mize your experience. And almost every 
conversation we're having with SharePoint 
2003 or 2007 customers includes looking at 
a migration strategy. 

Molnar: Do you see a lot of interest in orga¬ 
nizations moving from other collaborative 
platforms to SharePoint 2010? 

Swift: We see a lot of people replacing 
competitive offerings because SharePoint 
offers a better solution in a specific area. 
SharePoint is a broad platform, so now they 
can have a common infrastructure, a com¬ 
mon set of tools, and a common develop¬ 
ment environment where they can not only 
replace those individual point solutions, 
but have a complete platform for building 
additional capabilities on top of them. 

Molnar: We've heard that SharePoint is 
one the fastest growing server products in 
Microsoft history. What are your plans for 
reaching your next growth milestone? 

Swift: We're looking at growing the Share- 
Point opportunity by adding more value to 
customers. In SharePoint 2010 we added 
more capabilities around Internet sites. 
That's one area of growth. We took the 
advantages of using SharePoint internally 
and pointed them outside in extranet 
scenarios, to partners and close customer 
groups, and dotcom sites. We utilized 
content management capabilities to cre¬ 
ate a better publishing environment for 
external websites. Another growth area 
is deeper workloads—things like build¬ 
ing out BI solutions such as dashboards, 
KPI reports, and using Excel services to 
provide deep and robust analysis of very 


large data sets right in the SharePoint 
environment. 

Molnar: How do you see the consumer- 
ization of IT playing out in the SharePoint 
space, as workers bring their expectations 
from home into the workplace? 

Swift: SharePoint, especially 2010, really 
delivers with social capabilities we've 
added. We can bring the best of what 
people are used to in consumer environ¬ 
ments but also provide it within a corpo¬ 
rate environment that's managed, that's 
scalable, and that provides those security 
protections that IT demands. So you can 
store your documents, collaborate, have 
conversations, build out wikis, tag con¬ 
tent, rate it, and yet do these things in a 
way that isn't outside of IT's visibility and 
searchability. 

Molnar: Visual Studio has recently 
announced developer products geared 
toward non-developers such as Light- 
Switch. Down the road do you see more 
SharePoint admins and business people 
developing on SharePoint? 

Swift: We definitely see that as one of the 
major opportunities for growth in Share- 
Point solutions. When an organization 
decides to make SharePoint their platform 
for collaborative apps, their developers 
can then create the basic building blocks 
whether they are workflow actions, con¬ 
nectivity to back-end systems, and con¬ 
nectivity for search connections. It really 
works out positively when IT and develop¬ 
ers get together to create the right underly¬ 
ing infrastructure components, and then 
work with the business teams to design 
applications. Business users can do a lot of 
that development without having to know 
the details of the back-end systems and 
the details of .NET development because 
they've got the components right there. 

Molnar: What's next for search in 
SharePoint? 

Swift: We're not communicating specifics 
on the road map right now, but we are 
seeing that that ability to search all your 
content and have a single place regard¬ 
less of where it's located has just been a 


tremendous value. We worked with a tech¬ 
nical company that was highly distributed 
and incredibly siloed. Knowledge about 
specific product lines, technical specifica¬ 
tions, recommendations, and architecture 
was spread across the company. They 
used their SharePoint rollout to break 
down those walls, starting with the value 
of search, both people search and content 
search. Once you find what you needed, 
you could find out who worked on it, who 
the expert was, and then you could start 
collaboration from that point forward. 
We're looking to continue our investment 
in search and take the solid foundation we 
have and the innovative FAST technology 
to the next level both inside the firewall and 
for search on outbound sites. 

Molnar: How do you see the SharePoint 
marketplace shifting over the next five 
years? 

Swift: There are a couple of places where 
we will see a shift. One is the move to 
consumer-driven demand. As we drive 
to the next generation of the web and the 
next generation of mobile devices, we 
see the market continuing to shift that 
way. Another area is online. Organizations 
that previously haven't had the staff and 
resources to provide all of the capabilities 
to their end users now can use an online 
service to provide the base capabilities and 
the base applications. In the next five years 
we'll see a major shift of work that has been 
done traditionally by IT at the infrastruc¬ 
ture level moving online, which will allow 
IT to expand and increase the depth of their 
expertise and their value by focusing on 
those higher-level capabilities. 

Another big shift will be to bring the 
consumers' experience in mobile into the 
corporate environment. Many of us use 
mobile devices to access our email and 
our calendars—that will continue to be 
invested in. ^ 
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O ne of the key benefits of Active Directory (AD) is the ability to delegate privileges on an 
extremely granular level to other users in the directory. With AD's security delegation 
model, you can delegate common tasks—like password resets, account unlocks, or 
even creation and management of objects—to someone without making him or her 
an administrator of the directory. The Active Directory Users and Computers (ADUC) 
Microsoft Management Console (MMC) includes a wizard that can help with some 
common tasks, but it doesn't handle every scenario. In this article, well take a practical look at the 
more advanced AD security editor with some common examples. Well also look at the different fun¬ 
damental constructs that you will need to know in order to master AD delegation. 

All About ACLs 


Learn how to 
use AD security 
editor to delegate 
in AD without 
compromising 
security 


An ACL is applied to every object in the directory, and it controls the security of that object. Also 
known as the security descriptor, the ACL is stored as binary data in the nTSecurityDescriptor attri¬ 
bute of the object. Starting with Windows Server 2003, AD internally uses a single-instance storage 
mechanism for storing ACLs in the AD database, since the majority of objects in the directory share 
a common set of ACLs. The actual ACL data is relatively large, so there is a substantial space savings 
in storing them only once. 

ACLs are comprised of two major components: the Discretionary ACL (DACL) and the System ACL 
(SACL). The SACL is used to control when security audits are generated for that object (e.g., when 
it is modified). Both the DACL and SACL are comprised of a series of access control entries (ACEs) 
which represent the actual security permissions in the ACL. For the remainder of this article, well be 
referring to the DACL component when we use the term ACL. 

In order to view the ACL of an object using ADUC, youll first need to enable Advanced Features in 
the console by selecting View, then Advanced Features. Then right-click an object, open the Properties 
tab, then switch to the Security tab, which Figure 1 shows. Youll find that the UI is fundamentally iden¬ 
tical to managing NTFS file system permissions and that there are just different security permissions 
to assign. If you're interested in digging deeper into the structure of the ACL, see the sidebar "Using 
the Security Descriptor Editor in LDP to Remove the Abstraction from the ACL." 

Much like the permissions on the file system, permissions inside of AD will be inherited by child 
objects unless you tell the directory not to. This makes it very easy to give an administrator the ability 
to perform an operation (such as password reset) on all the objects in a specific organizational unit 
(OU) or OU hierarchy. If this functionality didn't exist, you would need to delegate the permissions 
on each user individually. 

AD uses an internal background process called the Security Descriptor Propagator (usually 
abbreviated SDProp) to apply inherited permissions to child objects. In a very large environment, 
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Figure 1: Active Directory Users and Computers ACL Editor 


you might not see inherited permissions 
applied immediately. If you've ever noticed 
an attribute called dSCorePropagationData 
in AD and wondered what it does, this is 
the attribute that stores state information 
for SDProp. 

What You Can Delegate 

At a high level, there are a limited set 
of operations that you can delegate, 


and they can be applied 
across all classes of objects 
or just to a specific class, 
such as users. If you're not 
familiar with the basics 
of the AD schema, take 
a look at "Extending the 
Active Directory Schema," 
November 2010, InstantDoc 
ID 126022, because we'll 
be using some of the terms 
from that article later in this 
discussion. Security dele¬ 
gations can be applied to 
grant permissions to users 
or groups. While it's func¬ 
tionally OK to delegate per¬ 
missions to users, it's always 
best practice to delegate 
permissions to a group and 
then place the appropriate 
users in the group. With 
this method, you control 
users' rights by managing 
their group membership. This is a much 
simpler operational task than managing 
permissions. 

The most common delegation you'll 
probably apply is the ability to write to a 
specific attribute or set of attributes. If, for 
example, you want to delegate the ability 
to unlock user accounts, you'll grant Write 
Property permissions on the lockoutTime 
attribute. 


Certain operations that might seem 
like simply delegating Write Property to 
an attribute or two actually will involve 
delegating one or more extended rights. 
Reset Password and Change Password are 
two of the most common extended rights 
you'll run into. AD and other applications 
can check for permissions to an extended 
right when an operation is requested via 
standard APIs, and applications can even 
define custom extended rights in the direc¬ 
tory. If you have Microsoft Exchange Server 
deployed, you'll find a number of extended 
rights, such as Send-As and Receive-As. 

If you take a look at the ACL on a user 
account (such as in Figure 1), you'll find 
that the SELF security principal is del¬ 
egated the Change Password Extended 
Right. You'll also find that SELF is del¬ 
egated the ability to write to a number 
of additional entries, such as Personal 
Information. Personal Information is an 
example of a Property Set, a collection of 
attributes, grouped together, that allows 
you to set permissions on the set instead of 
on all the individual attributes. AD allows 
attributes to be members of up to one 
Property Set. The advantage of Property 
Sets is that rather than creating individual 
ACEs that grant the ability to read or write 
to a large number of attributes, you can 
create a single delegation for the Property 
Set, and it will apply to all of the attributes 
in the set. 


Using the Security Descriptor 
Editor in LDP to Remove the 
Abstraction from the ACL 

You can use the Security Descriptor editor in LDP to remove the abstraction from the 
ACL. This interface is not very friendly or easy to use, but it will give you the opportu¬ 
nity to dig deeper. If you want to give this a try, use the following steps: 

1. Launch LDP by clicking Start, Run, then typing ldp.exe. 

2. Go to Connection, click Bind, then specify user credentials (if necessary). 

3. Click View, clickTree, then find your domain. 

4. In the tree on the left side of the screen, right-click an object 
whose ACL you want to look at, and go to Advanced, then Security Descrip¬ 
tor. Click OK on the ensuing dialog box. (If you select the SACL check 
box, you can see what audit settings are on the object as well.) 

You'll be able to double-click the entries in the Security Descriptor display for even 
more detail, which Figure A shows. Note that LDP versions earlier than Windows Server 2008 support only read-only text output of the ACL. 
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Figure 2: Property set attributes shown in the Active 
Directory Schema Analyzer 


The specific delegation for SELF here 
allows that user to write to a number of 
attributes on his or her account. Many 
organizations will remove these rights 
because they don't want to risk letting 
users update information that is managed 
by a central system. The good news is that 
users will rarely discover how to edit these 
attributes. To do so, they would need to use 
an LDAP editor or something similar. 

If you're wondering what attributes are 
included inside a Property Set, you can 
use a tool bundled with Active Directory 
Lightweight Directory Service (AD LDS) 
to find out. On a machine that has the 
Windows Server 2008 (or newer) Remote 
Server Administration Tools (RSAT) tools 
installed and the AD DS and AD LDS tools 
enabled, browse to C:\Windows\ADAM 
and run ADSchemaAnalyzer.exe. Then, go 
to File, click Load Target Schema, specify 
a domain controller (DC) in your forest, 
then enter valid user credentials. The AD 
Schema Analyzer loads the AD schema 
and gives you a view that lets you browse 
relationships between classes, attributes, 
and property sets, which you can see in 


Figure 2. The attributes of 
each property set are listed 
under the Dependents 
container. 

Another common 
task you might want to 
delegate is the ability to 
create a specific set of 
objects, perhaps allow¬ 
ing the Help desk to cre¬ 
ate user objects. This is 
an extremely easy task 
to delegate; however, 
it's important to con¬ 
sider some of the hidden 
security implications of 
delegating the ability to 
create objects. When an 
object is created, the user 
who created the object is 
assigned as the object's 
owner in one of the fields 
in the ACL. Owners of 
an object have full con¬ 
trol of that object, so they 
can bypass the granular 
permissions they are 
delegated on that object. 
Here's a good example of 
how delegating the right to create objects 
might come back to bite you. Say you del¬ 
egate to a user the ability to create OUs, 
and you also delegate to that same user 
the ability to create users inside those 
OUs. Since the user has full control of 
those OUs, the user can actually create 
any type of object, such as computers 
or groups, inside those OUs. After your 
domain is in the Windows Server 2008 
Domain Functional Level (DFL) 3 or 
better, you can take advantage of Owner 
Access Rights to control this issue. 

Now that we've taken a look at the vari¬ 
ous terms and components you'll run into 
when delegating security permissions, let's 
apply them to perform a few common 
tasks. 

Delegating Password Reset and 
Account Unlock 

One of the most common tasks to delegate, 
usually to a service desk or Help desk, 
is the capacity to reset users' passwords 
when they forget them and unlock their 
accounts. To accomplish this, you'll need 
to perform a few delegations: You'll need 


to delegate the Reset Password Extended 
Right permission and the Write Property 
permission for the pwdLastSet and lock- 
outTime attributes. 

The pwdLastSet attribute stores the 
timestamp for when the user's password 
was last set so that AD can enforce pass¬ 
word expiration. The lockoutTime attri¬ 
bute stores the timestamp for when the 
user's account was locked out. When you 
select the check box to require the user to 
change the password at next logon, you're 
actually setting pwdLastSet to 0. Likewise, 
when you select the check box to unlock 
an account in ADUC, you're actually set¬ 
ting lockoutTime to 0. 

Through the rest of this article, we're 
going to use the ACL editor in ADUC to 
create the delegations discussed. Some 
of the tasks we complete with this edi¬ 
tor are also possible using the Delegate 
Control Wizard in ADUC. However, using 
the raw ACL editor provides a much 
more complete view of the changes being 
made. If you are following these steps 
with a version of ADUC that was released 
before Windows Server 2008 R2, some of 
the text in the screenshots and some of 
the steps might not match exactly. You 
can safely use newer versions of ADUC 
and the other RSAT tools with older ver¬ 
sions of AD. 

For this discussion, we'll assume that 
you're going to delegate the ability to reset 
a user's password to the Service Desk Users 
group for all users inside the People OU. To 
complete this task, follow these steps: 

1. In ADUC, open the Properties tab 
of the People OU, switch to the Security 
tab, and click Advanced. 

2. Click Add and Find Service Desk 
Users. 

3. On the Object tab, specify Apply 
onto Descendant User objects. 

4. On the Obj ect tab, check Allow for 
the Reset Password permission. 

5. On the Properties tab, specify Apply 
onto Descendant User objects. 

6. On the Properties tab, select Allow 
for Write lockoutTime and for Write 
pwdLastSet. 

7. Click OK. 

8. Log on as a member of the Service 
Desk Users group, and verify that you can 
reset the password of a user in the People 
OU. 
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1. Launch the Group Policy Manage¬ 
ment Console by clicking Start, Run, then 
type gpmc.msc. 

2. Right-click Default Domain Con¬ 
troller Policy, and click Edit. 

3. Browse to Policies\Windows Set- 
tings\Security Settings\Local Policies\ 
User Rights Assignment. 

4. Open the Add Workstations to 
Domain entry. 

5. Add Service Desk Users as shown 
in Figure 4. 

6. If you want to remove the ability 
for any user to join workstations to the 
domain, remove Authenticated Users. 

If you'd instead like to control what 
OUs a computer can be joined to, you'll 
want to use native Active Directory ACLs 
similar to the previous walk-through. In 


Figure 3: People ACL after granting Password Reset and Unlock Account permissions 


You should see three additional ACEs, 
which Figure 3 shows. ADUC's ACL editor 
makes it easy to grant multiple permis¬ 
sions at once, even when those permis¬ 
sions require multiple ACEs. If you were 
to follow the above steps using a raw 
editing tool such as LDP, you'd need to 
create three individual ACEs: one for 
Reset Password, one for Write Property 
pwdLastSet, and one for Write Property 
lockoutTime. 

Delegating Adding Computers to a 
Domain 

Another common task is delegating the 
ability for a group of users to join machines 
to the domain. Out of the box, AD actually 
allows any authenticated user to join and 
join up to ten machines in the domain at 
any given time. AD implements this restric¬ 
tion using a function known as object 
quotas, which allows an administrator to 
specify the number of objects of a certain 
type that a user can have in the directory 
at any given time. AD determines how 
many objects count toward a user's quota 
based on the object ownership informa¬ 
tion, which is stored in the ACL alongside 
the DACL and SACL. 

There are two ways that you can del¬ 
egate the right for someone (perhaps a 
junior administrator) to add an unlimited 
number of computers to the domain. The 
first way is to use the legacy NT Security 


Privilege (SeMachineAccountPrivilege), 
which allows a user to add machines to 
the domain. This privilege is granted on 
DCs via Group Policy and added to a user's 
security token when he or she logs on. 
If you simply want to allow users to join 
machines to the Computers container, 
granting the privilege via Group Policy 
might be the simplest way to go about this 
task. To delegate this right to the Service 
Desk Users group using Group Policy, fol¬ 
low these steps: 


this example, we'll grant the Service Desk 
Users group rights to join machines to the 
Desktops OU, and we'll also give them the 
ability to reset machine account passwords 
in case they need to rejoin a machine to 
the domain. To do this, we'll grant the Ser¬ 
vice Desk Users group the ability to create 
computer objects in the Desktops OU, then 
grant them the Reset Password permission 
and Write to pwdLastSet permission on 
computer objects. 

The attributes and permissions that 
are available in the ADUC ACL Editor are 
loaded from the dssec.dat file on the local 



Figure 4: Assigning Add Workstations to Domain privileges 
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Figure 5: New Computer dialog box 

machine, instead of directly from the direc¬ 
tory. One of the attributes that you will 
need to modify to complete this task isn't 
listed by default in the dssec.dat file. To edit 
the dssec.dat file, follow these steps on the 
machine you are running ADUC from: 

1. Open an elevated command 
prompt and switch to %windir%\system32. 

2. Launch notepad dssec.dat from the 
elevated command prompt. 

3. Find the [ computer] section in the 
file. 

4. Find the line pwdLastSet=7 
under [computer] and change it to 
pwdLastSet=0. 

5. Restart ADUC. 

To create this delegation, follow these 
steps: 

1. In ADUC, open the properties of 
the Desktops OU, switch to the Security 
tab, and click Advanced. 

2. Click Add, then click Find Service 
Desk Users. 

3. On the Object tab, specify Apply 
to This object only. Note that if you have 
OUs under Desktops, you want to allow 
computers to be joined to specify OU 
objects instead. 

4. Select the Allow check box for Cre¬ 
ate Computer objects. 

5. Click OK. 


6. Click Add, then click Find Service 
Desk Users again. 

7. Select Apply to Descendant Com¬ 
puter objects. 

With a little bit 
of practice, you 
can easily start 
delegating granular 
rights to various 
groups, such as the 
Help desk or a junior 
administrator in your 
organization, without 
giving away the keys 
to the kingdom. 

8. Select Allow for the Reset Password 
permission. 

9. On the Properties tab, specify Apply 
to Computer objects. 

10. Select Allow for Write pwdLastSet. 

11. Click OK. 


To test this delegation, you'll need to try 
joining a test computer to the domain 
using a user account that's a member 
of the Service Desk Users group. There 
are two ways to join a computer to the 
domain and specify the OU the com¬ 
puter will be in. The first method is to 
pre-create the computer account using 
ADUC. Launch ADUC and right-click 
inside the Desktops OU, click New, then 
click Computer. Specify the name of the 
computer, and grant the Service Desk 
Users group rights to join the machine, as 
Figure 5 shows. 

The second method is to use the 
netdom command line tool to join the 
machine and specify the OU as part of 
the command. To join a machine called 
TEST-PC02 to the Desktops OU at the root 
of a domain called contoso.com, run this 
command: 

netdom add test-pc02 /domain:contoso 
.com /userd:"contoso\john.doe" 
/passwordd:* /OU:"ou=desktops,dc 
=contoso,dc=com" 

You will be prompted for the password to 
fohn.Doe's account. If you want to use a 
smart card, you should add the /Secure- 
PasswordPrompt switch. 

Practice, Then Delegate 

AD provides an incredibly flexible model 
that you can use to delegate very granular 
sets of permissions inside the directory 
to various sets of users. Delegations are 
stored inside ACLs, which are comprised 
of a series of ACEs. The Security Editor in 
ADUC Advanced mode simplifies complex 
delegations of permissions to objects, attri¬ 
butes, and extended rights. With a little bit 
of practice, you can easily start delegating 
granular rights to various groups, such as 
the Help desk or a junior administrator in 
your organization, without giving away the 
keys to the kingdom. ^ 
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I n the first quarter of 2010, according to reports from industry security leaders Secunia, Syman¬ 
tec, and McAfee, third-party applications were responsible for the largest increase in security 
vulnerabilities—even overtaking OS flaws. Microsoft provides Windows Server Update Services 
(WSUS) as a free component in Windows Server to update third-party apps; Windows Update 
is the consumer equivalent. But small companies that don't have access to enterprise-class 
management systems are left without a simple means of updating third-party applications that 
are installed on Windows systems. 

Even though many popular applications such as Adobe Macromedia Flash Player and Google 
Chrome have their own update mechanisms, such third-party software might be limited by certain 
conditions. For example, third-party update mechanisms might not be enforceable, or they might 
not be able to be centrally managed. In addition, they often require users to have elevated privileges. 
Considering that several update mechanisms can be running on each device, the landscape soon 
becomes muddled. 


Use local 
publishing 
APIs to secure 
non-Microsoft 
applications 

by Russell Smith 


WSUS vs. GPSI 

Active Directory (AD) includes Group Policy Software Installation (GPSI), which gives administrators 
a rudimentary means of updating or deploying software to clients by using Windows Installer (.msi) 
files. But GPSI wasn't designed to scale for large networks, nor has Microsoft invested in the technol¬ 
ogy since the introduction of AD 10 years ago. 

Starting with version 3.0, WSUS includes local publishing APIs that, for the first time, let developers 
write code to publish custom updates to WSUS. But there's no free tool from Microsoft for leveraging 
these new APIs, although local publishing methods can be accessed from Visual Basic scripts or from 
other programming languages. (See the sidebar "System Center Updates Publisher and Windows 
Server Update Services Partner Catalogs" for more information about local publishing tools.) Despite 
this, using WSUS to deploy third-party software and updates has many advantages over GPSI, includ¬ 
ing the following: 

• In addition to .msi packages, command-line executables and drivers can be deployed natively 
without requiring users to have administrative privileges. 

• The Background Intelligent Transfer Service (BITS) is used to throttle the transfer of installation 
files to clients by using idle bandwidth. This is ideal for slow network links. 

• WSUS is designed to be part of an enterprise-wide distributed architecture. 

• WSUS includes basic reporting features. 

WSUS Local Publishing 

The following procedures demonstrate how easy it is to publish third-party updates to WSUS. All the 
operations in these examples, including WSUS client updates, are performed on a Windows Server 
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System Center Updates Publisher and Windows 
Server Update Services Partner Catalogs 

Organizations that use Microsoft System Center Configuration Manager (SCCM) 2007 or 
Microsoft System Center Essentials (SCE) 2007 have access to System Center Updates Pub¬ 
lisher. SCUP is a tool that lets administrators package custom updates, then publish them via 
Windows Server Update Services (WSUS). Microsoft also provides access to partner catalogs 
(Dell, HP, Intel, and Citrix) for quick deployment of updates to WSUS servers. 


2008 R2-based computer that's a domain 
member in a test environment. Before you 
follow these procedures, use the Server 
Manager wizard to install and configure 
WSUS to the default settings. 

Configure WSUSfor client-side target¬ 
ing. To be able to separate which comput¬ 
ers will receive your custom updates in 
the test environment, you need to create a 
computer group. 

1. Log on to Server 2008 R2 as a 
domain administrator. 

2. Open the Microsoft Management 
Console (MMC) Windows Server Update 
Services snap-in from Administrative 
Tools on the Start menu. 

3. In the console's navigation pane, 
expand your WSUS server and click 
Options. 

4. In the Options pane, scroll down 
the list of configuration options and click 
Computers. 

5. In the Computers dialog box, select 
Use Group Policy or registry settings on 
computers and click OK. 

6. In the navigation pane, expand 
Computer, right-click All Computers, and 
click Add Computer Group. 

7. In the Add Computer Group dialog 
box, name the new group Local Updates, 
then click OK. 


3. In the Add or Remove Snap-ins 
window, select Group Policy Object Editor 
under Available snap-ins and click Add. 

4. In the Select Group Policy Object 
dialog box, leave the default selection of 
Local Computer and click Finish. 

5. In the Add or Remove Snap-ins 
window, click OK. 

6. In the MMC navigation pane, 
expand Local Computer Policy, Computer 
Configuration, Administrative Templates, 
Windows Components. Double-click Win¬ 
dows Update. 

7. In the center pane, double-click 
Configure Automatic Updates. 

8. In the Configure Automatic 
Updates window, select Enabled, then 
click OK. 

9. In the center pane, double-click 
Specify intranet Microsoft update service 
location, then click Enabled. 

10. Under Options, type http:// fol¬ 
lowed by the name of the WSUS local 
server in both boxes. Then click OK. 

(Note: In this example, the WSUS server 
is named WINMEM1 and all services are 
located on one server. Therefore, I entered 
http://winmeml both for Set the intranet 
update service for detecting updates and 
for Set the intranet statistics server.) 

11. In the center pane, double-click 
Enable client-side targeting. 


12. In the Enable client-side targeting 
window, click Enable. In the Target group 
name for this computer box, type Local 
Updates. Click OK. 

13. Double-click Allow signed updates 
from an intranet Microsoft update service 
location, click Enable, and click OK. 

14. Close the MMC snap-in. 

15. Open a command-prompt window, 
and run the gpupdate /force command 

to make sure that the new settings are 
applied to the server immediately. 

Install Local Update Publisher. Local 
Update Publisher is an open-source tool 
that you can download for free from 
SourceForge at sourceforge.net/projects/ 
localupdatepubl. The only prerequisite for 
the Local Update Publisher program is the 
.NET Framework 3.5, which you can install 
by using Server Manager on Server 2008 
R2. You can do this quickly by opening a 
PowerShell window and running the fol¬ 
lowing commands: 

import-module servermanager 
add-windowsfeature net-framework 

After the .NET Framework is set up, 
install the Local Update Publisher tool on 
the WSUS server. Then follow these steps: 

1. Start the Local Update Publisher tool 
from the Start menu under All Programs. 
(Note: You'll be prompted to connect to a 
WSUS server. Because you're working on 
the local WSUS server, you can leave the 
Name field blank, then click Connect.) 

2. In the Local Update Publisher pro¬ 
gram window, click LOCALHOST under 
Update Services. 

3. In the No WSUS Certificate found 
window that displays, click Yes. 


Configure local machine policy for 
Windows Update. In a production envi¬ 
ronment, the following settings would be 
configured in a Group Policy Object (GPO) 
and linked to an organizational unit (OU) 
that contains computers that we want to 
update by using WSUS. To simplify this 
demo, we'll set the local machine policy 
to configure Windows Update on the local 
computer only. 

1. Click Start, type MMC in the Start 
Search box, and press Enter. 

2. In the new console window, press 
Ctrl+M to add a new snap-in. 



Figure 1: Importing a Windows Installer file into WSUS 
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Figure 2: Entering software package details 

4. In the Certificate Information 
dialog box, click Create Certificate. (Note: 
A second window opens to indicate that a 
self-signed certificate has been success¬ 
fully created and that it must be installed 
on all clients that will receive local 
updates.) 

5. In the installation confirmation 
window, click OK. 

6. In the Certificate Information 
dialog box, click Export Cert, then save a 
copy of the certificate to your desktop. 

7. Click OK. 

In a production environment, you 
should consider using a certificate issued 
by a Certification Authority (CA) that's part 
of your organization's public key infrastruc¬ 
ture (PKI). 

Prepare WSUS for local updates. 

Before you continue, you must install the 
self-signed certificate on the WSUS server. 
In a production environment, you need 
to install the certificate on WSUS and on 
all clients that will receive local updates 
from WSUS. 

1. Click Start, type MMC in the Start 
Search box, and press Enter. 

2. In the new console window, press 
CTRL+M to add a new snap-in. 

3. In the Add or Remove Snap-ins dia¬ 
log box, select Certificates under Available 
snap-ins and click Add. 

4. In the Certificates snap-in dialog 
box, select Computer account and click 
Next. 

5. Leave the default selection of Local 
Computer and click Finish. 


6. In the Add or 
Remove Snap-ins dialog 
box, click OK. 

7. In the MMC 
navigation pane, expand 
Certificates (Local 
Computer), then expand 
Trusted Root Certification 
Authorities. 

8. Right-click Certifi¬ 
cates, point to All Tasks, 
and click Import. 

9. In the Certificate 
Import wizard, click 
Next. 

10. OntheFz7e 
to Import page, click 
Browse. 

11. Select the certificate file that you 
saved to your desktop and click Next. 

12. On the Certificate Store page, 
leave the default selection and click Next. 

13. Click Finish. 

After the import finishes, click OK in 
the notification box. The WSUS Publishers 
Self-signed certificate will display in the 
MMC window's center pane. Repeat steps 7 
through 13 to import the same certificate in 
the Trusted Publishers container. You can 
then close the MMC Certificates snap-in. 

Create a local update. To create a local 
update, you should work with a Windows 
Installer file whenever necessary because the 


Local Update Publisher tool automatically 
creates rules for applying updates through 
WSUS. If you must use an .exe file, and if you 
can't extract a Windows Installer package 
from it, you'll have to familiarize yourself 
with System Center Update Publisher Basic 
Rules. You can find more information about 
these rules at technet.microsoft.com/en-us/ 
library/bb531004. aspx. 

To install the latest version of Flash Player 
via WSUS, first download the Flash Player 
Windows Installer file from fpdownload 
.macromedia.com/get/flashplayer/ 
current/licensing/win/install_flash_ 
player_10_active_x.msi. Then follow these 
steps to create a local update: 

1. On the Tools menu, click Create 
Update. 

2. In the Import Update from File win¬ 
dow, which Figure 1 shows, click Browse. 
Then select the Flash Player .msi file that 
you previously downloaded. (Note: All the 
installation files are packaged inside the 
Flash Player MSI installer.) 

3. Click Next. (Note: The next page, 
which Figure 2 shows, already includes all 
the required information except Vendor 
and Product.) 

4. In the Vendor box, type Adobe. 

In the Product box, type Flash Player 
10.1.85.3 or the appropriate program 
version. 

5. Click Next. (Note: Because we pro¬ 
vided the Local Update Publisher tool with 



Figure 3: Setting rules for installation 


www.windowsitpro.com 


We're in IT with You 


Windows IT Pro 


FEBRUARY 201 1 35 





































■ THIRD-PARTY WSUS UPDATES 



Figure 4: Approving local updates 


an .msi file to create the update, rules are 
automatically populated over the next few 
pages of the installation wizard. You can 
modify or add to these rules later.) 

6. On the Package Level—Installed 
Rules page, which Figure 3 shows, click 
Next to accept the default rules. 

7. Repeat step 6 on the following 
pages: Package Level—Installable Rules, 
Installation Item Level—Superseded 
Rules, and Installation Item Level—Rule 
Metadata. 

8. Review the XML information for 
the update, then click Finish. 

After a few seconds, you should be noti¬ 
fied that the update has been successfully 
published to WSUS. 

Approve the local update. One disad¬ 
vantage of using local updates is that they 
don't display in the WSUS admin console; 
you must manage them by some other 
means. Fortunately, the Local Update Pub¬ 
lisher tool lets you manage and approve 
local updates. 

1. In Local Update Publisher, expand 
LOCALHOST, Updates, Adobe, Flash 
Player 10.1.85.3. 

2. In the details pane, right-click the 
update and click Approve. 

3. In the Approve Update dialog box, 
which Figure 4 shows, click No Approval 
to the right of the Local Updates group, 
then click Approved for Install. 

4. At the bottom of the Approve 
Update dialog box, click Approve. 

5. When you're prompted to update 
the approvals, click OK. 

6. Click Close. 
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Verify installation. The final step is 
to verify that the Windows Update client 
installed the local update. 

1. On the WSUS server, click Start, 
type Windows Update in the Start Search 
box, and press Enter. 

2. In the search results, click Check for 
updates. 

3. In the Control Panel Windows 
Update applet, click Check for updates 
again on the left. 

4. After about one minute, you should 
see the option to install an important 
update. 

5. Click 1 important update is avail¬ 
able, and check the update name to verify 
that it's the local update that was just 
published. 

6. After you verify the update, click 
Install updates to install Flash Player. 

Local Update Publisher also has basic 
reporting so that you can see which 
computers in a group have successfully 
received updates. In a production envi¬ 
ronment, there should be no reason to 
install Flash Player directly on a WSUS 
server. 

Disabling Flash Player auto update. 
By default, the standard installation of 
Flash Player checks every 30 days to see 
whether a new version is available. In a 
corporate environment, you'll probably 
want to disable this feature and manage 
updates centrally by using WSUS. You 
could modify the MSI database by using a 
free tool such as Microsoft Orca to include 
the necessary configuration file. However, 
that's a rather complicated undertaking if 


you're not experienced in authoring Win¬ 
dows Installer packages. A simpler solution 
is to create a configuration file (mms.cfg) 
to disable the auto update feature. This 
process is explained in the Adobe article 
“IT Administration: Configure Flash Player 
auto-update notification," at kb2.adobe 
.com/cps/167/16701594.html. You'd then 
use Group Policy preferences to copy the 
file to the appropriate location on the client 
computers. 

Don't Leave Updates to Chance 

The October 2010 update for Adobe 
Acrobat Reader alone patched 23 secu¬ 
rity vulnerabilities that, in some cases, 
could have allowed a remote attacker to 
launch malicious software. In light of such 
vulnerability, timely updates of ubiqui¬ 
tous software shouldn't be left to chance. 
Systems administrators often hope that 
users will initiate updates themselves—but 
such local updates typically require that 
users have administrative privileges, which 
would further increase the likelihood of 
malware infection. 

Using WSUS to publish third-party 
updates or even your own custom updates 
can significantly reduce the chance of com¬ 
puter infection. Thanks to its bandwidth 
throttling for slow networks and its abil¬ 
ity (if the right architecture is in place) to 
reach notebooks that might not always be 
connected to the corporate network, WSUS 
is a better solution for making sure that all 
the computers in an organization are able 
to receive updates. 

If you're not comfortable using free, 
open-source software to publish updates 
to WSUS, you still have the option to rely 
on scripting or to create your own appli¬ 
cation. In addition, EminentWare (www 
.eminentware.com) offers two commercial 
solutions: the WSUS Extension Pack, for 
publishing local WSUS updates, and the 
3rd Party Updates Pack, which contains 
continually updated and tested catalogs for 
third-party applications. ^ 
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The Return of "Better Together" 


C hocolate and peanut butter. Baseball and hot dogs. Thelma and Louise. Some things just 
naturally belong together. To this list, you can add Microsoft Office Outlook and Microsoft 
Exchange Server. Exchange supports many different clients, and Outlook will work in 
conjunction with any IMAP server (and many third-party MAPI implementations). But 
these two products are carefully designed to embody the Microsoft “better together" story 
in which Outlook, the premium Exchange client, delivers compelling features only when 
used together with Exchange. 

Over the years, the value proposition of individual upgrades has varied somewhat. But the basic 
principle has remained the same: Microsoft giveth, and Microsoft taketh away. The combination of 
Exchange 2010 and Outlook 2010 is no different. Outlook 2010 contains many changes, some of which 
are tied to Exchange 2010 and some of which stand alone. The main question most people ask about 
every new Office release is, “What new features do I get?" 

So this article focuses on what's new in Outlook 2010. (For a high-level look at the whole Office 
2010 release, see Paul Thurrott's article “Office 2010 Not Resting on Its Laurels," fuly 2010, InstantDoc 
ID 125213.) The changes in Outlook 2010 can be broadly grouped into a few specific categories: 

• Operational features; specifically, much better performance when starting and stopping Outlook, 
and some very welcome stability improvements in the Outlook IMAP implementation 
• Dropped features from previous versions, such as support for ANSI OST files (which I doubt 
anyone will miss), the ability to connect to Exchange 2000 mailbox servers, and computational 
postmarking for messages 

• New features that work together with any version of Exchange 
• New features that rely on the Exchange 2010 implementation 


A host of 
new features 
underscores a 
true working 
partnership 

by Paul Robichaux 


Although the first two categories are interesting, it's the new features that are really worth digging 
into more deeply. 

New Outlook 2010 Features 

With some Microsoft product releases, it's hard to pick out just one favorite feature because there are 
so many choices. Outlook 2010 is a prime example of this because it has a lot of nifty new capabilities 
built in. 

Multiple accounts per profile. Let's start with something that Mac users running Entourage 
have been enjoying for a while: the ability to maintain multiple Exchange accounts in a single 
profile. Not everyone needs this feature. However, when you do—say, if you're a consultant who 
needs to access both your company's and your clients' email systems—there really is no substitute. 
IMAP just doesn't work as well (in Outlook or anywhere else) as the combination of Exchange 
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and Outlook. Outlook 2010 proves this by 
allowing you to have up to 15 Exchange 
accounts in a single profile. The accounts 
have full access to all Exchange features, 
including public folders, search fold¬ 
ers, and delegate access. Administrators 
can prevent users from copying mes¬ 
sages between accounts by using the new 
HKCU\Software\Microsoft\Office\14\ 
Outlook\DisableCrossAccountCopy reg¬ 
istry subkey. If you specify the primary 
SMTP domain that you want to protect, 
Outlook will prevent users from copying 
messages from folders in that account 
to any other defined accounts (or to .pst 
files). 

Calendaring. Calendaring has received 
some significant attention in this release. 
A new vertical Schedule View shows you 
calendars for multiple users in a large table 
view. Every user is a row, and every hour is 
a column. This orientation makes it very 
simple to see who is available and when. 
A related improvement: If you're using an 
Exchange account, Outlook automatically 
provides you the option to see calendar 
data for your manager, for your peers, and 
for your direct reports, as defined in Active 
Directory (AD). 

Conversation actions. Outlook 2010 
has been justly praised for its improved 
"attention management" features, which 
Microsoft groups together under the rubric 
of "conversation actions." The most nota¬ 
ble of these features is the Ignore button 
(which has been compared to a mute 
button for email) and the ability to trim 
redundant messages from long threads by 
choosing the Clean Up command. 

The Ignore feature depends on a new 
Outlook feature: conversation actions. 
There are three such actions: Ignore, Move, 
and Categorize. Conversation actions are 
stored in a hidden folder named Conver¬ 
sation Action Settings at the mailbox root. 
Every conversation that has a specified 
action will have an entry in this folder. 
You can see the entries by using MFC- 
MAPI. Unlike server-side or client-side 
rules, only one conversation action can 
apply to a given conversation thread. This 
is because the actions are tied to a unique, 
per-conversation ID that is generated on 
the server. Conversation actions can be 
deleted automatically by the server after a 
preset time. 
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When you tag a conversation by using 
the Ignore button, messages in that con¬ 
versation are automatically moved by the 
server to the Deleted Items folder. You can 
open an ignored message in Deleted Items, 
and then click Ignore again to deselect it. 
This deactivates the conversation action so 
that the conversation is no longer ignored. 

By contrast, the Clean Up command 
works fine in any Outlook account, even 
in an IMAP account. This makes it handy 
for any account in which you receive many 
messages. When you clean up a conversa¬ 
tion or folder, Outlook looks for duplicate 
message content. For example, let's say 
that Alice sends a message to Bob and 
Carol. Bob replies immediately, then Carol 
replies to Bob's reply. Outlook can safely 
delete Bob's message because its content 
is included in Carol's reply. 

Quick Steps. Another new Outlook 
feature is its support for Quick Steps, which 
provide a simple, single-click interface for 
performing repetitive tasks. For example, 
you can configure a Quick Step to move 
messages to a particular folder that you use 
often. I have Quick Steps rules set up for 
my "pending orders" and "travel" folders. 
You can also create Quick Steps that take 
more complicated actions. I created one 
that marks the selected message as Read, 
moves it to a folder that I named "Action," 


assigns it to a category, and flags it for 
follow-up. Follow these steps to create your 
own Quick Step: 

1. Start Outlook 2010. On the Home 
tab, click the dialog box launcher at the 
lower-right corner of the Quick Steps 
group. 

2. Click New, and then click Custom. 

3. In the Name box, type a name for 
the Quick Step. 

4. Click the Choose an Action down 
arrow, and then click Move to Folder. 

5. In the box that is displayed, click 
the Choose folder down arrow, and then 
select the target folder. 

6. Click Add Action, and then click 
Flag Message on the Actions list. You can 
select whichever flag duration you want; I 
use No Date. 

7. Click Add Action, and then click 
Categorize Message on the Actions list. 
You can select whichever category you 
want, or select Always ask for category if 
you want to be prompted. If you prefer, 
you can select a shortcut key and enter 
tooltip text in the Optional section. 

8. Click OK. 

The completed Quick Steps dialog box is 
shown in Figure 1. 

Because you can assign keyboard short¬ 
cuts to Quick Steps, you are likely to find 



Figure 1: The anatomy of a Quick Step 
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that this single feature is one of your most 
frequently used. It simplifies the triaging of 
large volumes of mail. 

In the same manner as conversation 
action settings, Quick Steps are stored as 
a list of commands in a hidden mailbox 
folder. In this case, the folder is named 
Quick Step Settings. 

AutoComplete. The behavior of the 
AutoComplete addressee list is also 
changed. Previous versions of Outlook 
used a client-side .nk2 file that was specific 
to each computer. The .nlc2 file contained 
the email address and display name of 
people to whom you addressed messages. 

In Outlook 2010, these addresses are 
stored in the Suggested Contacts folder, 
a new contact folder that's automatically 
created alongside your normal mailbox 
Contacts folder. 

This new feature is both pleasingly use¬ 
ful and annoying. It's quite useful to have 
the same set of address information follow 
you from computer to computer so that 
you get a consistent list of addresses no 
matter where you are. However, Outlook 
happily adds every recipient that you send 
messages to, even if they're unsubscribe 
requests, responses to forum posts, or 
other transient addresses that you don't 
want to keep. This is especially annoying 
for iPhone and iPad users because the 
Apple mail client doesn't give you a way 
not to see the Suggested Contacts folder. 
You can turn this feature off by clearing the 
Automatically create Outlook contacts for 
recipients that do not belong to an Outlook 
Address Book check box in the Contacts 
section of Outlook options. 

When you run Outlook 2010 for the first 
time, the program automatically tries to 
load your existing .nk2 file into Suggested 
Contacts. But that works only if your .nk2 
file has the same name as the Outlook 
profile that you're using. You can manu¬ 
ally load an .nk2 file, but first you have to 
rename it to match the Outlook profile. 
Then, you must run this command: 

outlook.exe /importnk2. 

The one bad aspect of this particular 
feature is that Outlook 2007 and earlier 
versions don't recognize the presence of 
the server-side AutoComplete list, so they 
continue to use .nlc2 files. 
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One long-standing bane of Exchange 
administrators is that Outlook has been 
difficult or impossible to run safely on 
Exchange servers because the two products 
required different—and incompatible— 
versions of MAPI. Getting the right DLLs 
in the right places was difficult and error- 
prone. Back in ancient times, the Exchange 
client could be used for MAPI profile 
management on the Exchange server. But 
having Outlook installed on the server has 
ranged from unwise to flat-out impossible. 

Outlook 2010 can be installed, and is 
supported, on servers that are running 
Exchange 2007 or Exchange 2010. In fact, if 
you're using Exchange 2010 RTM, you must 
use Outlook 2010 to export and import 
mail to .pst files in Exchange 2010 for 
rediscovery and for mailbox import/export. 
However, Exchange 2010 SP1 completely 
changes how mailbox import and export 
work. So Outlook is no longer required on 
the server, making this feature less valuable 
than before. As a best practice, administra¬ 
tors shouldn't be reading and responding 
to mail on an Exchange server anyway 
because of the risk of compromise from 
malware. If you have to read mail on the 
server, using OWA is a good workaround. 

Outlook 2010 has a 64-bit version too, 
as does the rest of Office 2010. However, 
I don't recommend deploying it for users 
just yet because the vast majority of Out¬ 
look add-ins are still 32-bit-only, so they 
won't run in the 64-bit version. Also, the 
move to 64-bit addressing doesn't provide 
any real performance or scalability benefits 
for Outlook users (as it does for Exchange 
itself). 

User photos. The final non- 
Exchange-2010 feature I want to mention is 
one that you might have seen without real¬ 
izing that it was new. Outlook 2010 displays 
pictures for users who have them. Pictures 
can come from individual contacts in your 
Contacts folders. If you add the thumb- 
nailPhoto attribute to an AD user object, 
Outlook displays that photo for messages 
that are received from that user. 

There are a lot of caveats to this feature. 
Chief among them is the fact that adding 
photos to your GAL adds considerably to 
the size of the file. Pictures typically range 
in size from 9-15KB; multiply that by 10,000 
users in a large GAL and you start to see 
the potential impact. Exchange 2010 can 

We're in IT with You 


add these photos to the OAB. From here, 
Outlook 2010 can retrieve them when it 
runs in cached mode so that the photos are 
available when the Outlook user is offline. 
However, Outlook 2007, OWA 2007, OWA 
2010, and the Entourage family of clients 
won't display the photo at all. 

New Exchange 2010-Based 
Features 

Remember what I said earlier about choco¬ 
late and peanut butter? The features that 
I've described so far work for any kind of 
account that you may have. But Outlook 
2010 also includes several features that 
work only in association with an Exchange 
2010 mailbox. 

MailTips. Let's start at MailTips. This 
is one of those features that makes you 
say, "Why didn't I think of that?" The basic 
idea is simple: The Exchange Client Access 
server emits a warning message for certain 
conditions, such as if you address a message 
to a large distribution group. Outlook 2010 
and OWA 2010 display the MailTips mes¬ 
sages in a bid to save you from wasting time 
or embarrassing yourself. For example, you 
compose a message to someone who's out 
of the office. Sure, you'll find out about it 
when the message is delivered and you get 
the sender's out-of-office message—if they 
remembered to turn on the OOF feature. 

By using MailTips, you get an immediate 
indication when you compose a message 
to someone who's out of the office. This lets 
you send the message to someone who will 
actually be able to act on it. 

Among its capabilities, MailTips can 
warn you about recipients whose mail¬ 
boxes are over quota, external recipients 
you might have mistakenly included on a 
message, or that you performed a "reply 
all" to a message that you received as a 
BCC. This feature may not sound that 
compelling on paper; but after you've 
used it, you'll miss it if you have to 
revert to a client that doesn't support it. 
Although you can define custom MailTips 
for individual mailboxes, there's no way 
to extend them to permit new types of 
MailTips. One thing I hope to see in the 
future is an add-on for Outlook 2007 that 
will display MailTips. The MailTips infor¬ 
mation is available from the Exchange 
2010 Client Access server, so it's feasible 
to do this. 
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Figure 2: Personal call answering New Rule dialog box 


Voice Mail Preview. Exchange 2010 
includes some major improvements to its 
unified messaging (UM) feature set. One 
example is the new Voice Mail Preview 
feature that translates spoken voicemail 
messages into text with surprising accu¬ 
racy. (Although sometimes the surprise 
is what the transcription engine came 
up with for text!) A complete list of sup¬ 
ported languages is available in "Under¬ 
standing Unified Messaging Languages" 
at technet.microsoft.com/en-us/library/ 
bb124728(EXCHG. 140). aspx. 

Exchange also delivers personal call 
answering rules that work similarly to the 
Outlook mail-handling rules, as you can see 
in Figure 2. Outlook 2010 provides a user 
interface for these features to display Voice 
Mail Preview transcriptions correctly. This 
enables you to edit call answering rules, 
although the interface for managing these 
rules is actually provided by the Exchange 
2010 Client Access server. In the same 
vein, Outlook 2010 provides support for 
protected voicemail. By taking advantage 
of this Exchange 2010 feature, callers can 
mark as private any voice messages that 
they leave. The UM server uses AD Rights 
Management Services (AD RMS) protec¬ 
tion to encrypt private messages. These 
messages can only be played back by using 
Outlook 2010 or Outlook Voice Access, nei¬ 
ther of which allows private messages to be 
forwarded. Private voicemail messages, like 
other AD RMS messages, can be retrieved 
for discovery purposes, if necessary. 


Personal Archive. 

The Personal Archive 
feature of Exchange 
2010 represents another 
Microsoft shot across 
the bow of archiving and 
compliance vendors. 
This feature is designed 
to provide an easy-to- 
use, easy-to-manage 
solution for compa¬ 
nies that have simple 
archiving requirements. 
Microsoft might be 
hoping that the Per¬ 
sonal Archive feature 
will spell the doom of 
.pst files for most uses. 
That's because the Per¬ 
sonal Archive is essen¬ 
tially implemented as a secondary mailbox 
on the Exchange 2010 Mailbox server. In 
Outlook 2010, the archive is treated as a 
peer of your primary mailbox. This treat¬ 
ment means that the archive mailbox is 
easy to use. Users can drag items into 
and out of the archive at any time. How¬ 
ever, unlike .pst files, the Personal Archive 
mailbox is stored on the server, so it's 
accessible across computers. In fact, it's 
accessible through OWA 2010, and Micro¬ 
soft has committed to shipping an Outlook 
2007 plug-in that makes Personal Archives 
accessible from that client, too. 

Originally, this plug-in was expected in 
late 2010, but Microsoft recently announced 
a projected shipment some time in the first 
half of 2011 (see msexchangeteam.com/ 
archive/2010/08/25/455861 .aspx). 

SMS integration. Outlook 2010 sup¬ 
ports integration with Short Message Ser¬ 
vice (SMS) text messages, too. At first this 
may seem like an odd feature, but it's actu¬ 
ally quite useful. You can configure Outlook 
to send and receive SMS messages in either 
of the following ways: 

• You can use a third-party SMS service. 
In this case, Outlook sends the SMS 
message to the service, and the service 
is responsible for delivering it to the 
recipient. Incoming messages may 
or may not be supported, depending 
on the service. However, incoming 
messages that the service delivers 
are synced to your Inbox in the same 
manner as regular mail messages. 
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• You can use a Windows Mobile 6.5 or 
later device. In this case, when you 
send an SMS message from Outlook, 
Outlook passes the message to the 
Exchange server, which uses Exchange 
ActiveSync (EAS) to transfer it to the 
telephone. The telephone then actually 
sends the message as though you'd 
composed it on the telephone itself. In 
this case, EAS is also used to sync text 
messages from your telephone back 
to your mailbox. However, many users 
I've spoken to express horror at the 
idea that their SMS messages might be 
synchronized with their company email 
system, so you must consider privacy 
issues before you roll out this feature. 

SMS integration with Outlook makes it 
easy to quickly send SMS messages with¬ 
out actually having to hunt and peck them 
out on your phone's keyboard. Addition¬ 
ally, after you connect Outlook to an SMS 
service by using one of these two possible 
methods, Outlook can generate text mes¬ 
sages that alert you about upcoming cal¬ 
endar events or that notify you about—or 
even forward—specified messages. 

An Ideal Partnership 

The mechanics of licensing and deploying 
a new version of Office are not trivial— 
especially if you try to do that at the same 
time as you plan and deploy a new version 
of Exchange, of Microsoft SharePoint, or of 
Microsoft Office Communications Server. 
However, Microsoft has invested a lot of 
effort in making these products work bet¬ 
ter together. 

Outlook 2010 is a compelling upgrade 
on its own, but it really shines in combi¬ 
nation with Exchange 2010. I have been 
enthusiastically deploying Outlook 2010 
everywhere I can. I strongly recommend 
that anyone who is planning a migration to 
Exchange 2010 include Outlook 2010 in the 
migration if at all possible. It's that good.^ 
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icrosoft introduced BitLocker Drive Encryption (BDE), or BitLocker, in Windows 
Server 2008 and Windows Vista. BitLocker offers volume-level data encryption for 
data stored on Windows clients and servers and protects the data when systems are 
offline (i.e. ; when the OS is shut down). BitLocker can prevent data breaches such as 
the theft of confidential corporate data on employee laptop computers. In previous 
Windows versions this protection wasn't possible without a third-party product. 

BitLocker can also offer an integrity-checking mechanism that makes the OS itself more resilient 
in the face of attacks. When BitLocker is applied to the system volume, it can provide a file-integrity 
checking feature that automatically assesses the status of boot files such as the BIOS, Master Boot 
Records (MBRs), and the NTLS boot sector when the system boots and before the OS starts. If a hacker 
inserts malicious code into one of the boot files or modifies one of the files, BitLocker will detect it 
and block the OS from starting. 

The first version of BitLocker had some shortcomings that Microsoft addressed in the newer OS 
releases. In the initial release, only a single volume—the OS drive—could be BitLocker protected. In 
Server 2008 and Vista SP1, Microsoft added support for BitLocker protection of different volumes, 
including local data volumes. In Server 2008 R2 and Windows 7, Microsoft added BitLocker support 
for removable data drives (e.g., memory sticks, external data drives). This feature is called BitLocker 
To Go. Lor an overview of the disk configurations that BitLocker supports, see Microsoft's "BitLocker 
Drive Encryption in Windows 7: Lrequently Asked Questions" at technet.microsoft.com/en-us/ 
library/ee449438(WS.10).aspx. Server 2008 R2 and Windows 7 also come with an extended set of Bit¬ 
Locker Group Policy Object (GPO) configuration settings, including a new data recovery agent feature 
that allows centralized recovery of the BitLocker-protected data in an Active Directory (AD) forest. 

In this article I explain how you can leverage BitLocker without using a Trusted Platform Module 
(TPM). A TPM is a special security chip that's built in to most of today's PC motherboards. Using 
BitLocker with a TPM adds security value, but it also adds setup and management complexity and 
overhead. In addition, many organizations still have older computers that don't have TPMs. You can't 
add a TPM to a computer; it's either part of the system's design, or it isn't. 

Lortunately, Microsoft included several configuration options in BitLocker that make it usable 
on systems that don't have a TPM. I'll walk you through the steps to get BitLocker up and running 
on a computer that doesn't have a TPM, I'll explain which tools you need instead, and I'll cover best 
practices you can follow. 

Protecting the OS Drive Without a TPM 

BitLocker is available in all Server 2008 R2 and Server 2008 editions (except the Itanium edition); 
Windows 7 Ultimate and Enterprise; and Vista. On Windows 7 and Vista the BitLocker logic is installed 
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’ LmSStJ 

v j % BitLocker Drive Encryption [C:] 

Starting BitLocker 

Please wait while BitLocker initializes the drive. 


A compatible Trusted Platform Module (TPM] Security Device must be present on this computer, but 
a TPM was not found. Please contact your system administrator to enable BitLocker. 

What are BitLocker's system requirements? 

| Cancel | 

Figure 1: Initialization error in the BitLocker Drive Encryption wizard for OS drive protection 


as part of the OS installation process. On 
Server 2008 R2 and Server 2008, BitLocker 
is an optional feature that you must install. 
You can do so using the Add features option 
that's available from the Initial Configura¬ 
tion Tasks window or—after installation— 
from Server Manager. 

You can use BitLocker without a TPM 
for protecting your OS drive and for pro¬ 
tecting fixed or removable data drives. 
Using BitLocker without a TPM to pro¬ 
tect OS drives involves a BitLocker setup 
process that's slightly different from the 
standard process that I outline later in the 
article; it also requires an additional GPO 
tweak that you must make prior to starting 
the BitLocker setup process. 

To protect your OS drive with BitLocker 
in the absence of a TPM, you need a remov¬ 
able USB memory device and a computer 
equipped with a BIOS that can boot from 
that device. This requirement is necessary 
because the USB drive holding the Bit¬ 
Locker encryption key must be connected 
and readable through the BIOS when your 
system starts. The user must then insert 
the USB drive during startup to unlock the 
encrypted OS drive. 

Before you can use BitLocker on your 
OS drive without a TPM, you must change 
the default behavior of the BitLocker Drive 
Encryption wizard. If your system doesn't 
have a TPM, if your TPM is disabled, or if 
your TPM is set in the BIOS to be hidden in 
the OS, the BitLocker Drive Encryption wiz¬ 
ard will display the error message shown 
in Figure 1 during the initialization phase. 
The wizard then also forces you to abandon 
the BitLocker setup—the Cancel button is 
the only option. 
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A GPO setting lets you change this 
default behavior. (Administrators can use 
a domain-based GPO to globally change 
the setting.) To change the behavior of 
the BitLocker Drive Encryption wizard 
on your Server 2008 R2 or Windows 7 
machine, start Group Policy Editor (GPE). 
Click Start, Run, type gpedit.msc, and 
press Enter. 

Navigate to the \Computer Configura- 
tion\Administrative Templates\Windows 
Components\BitLocker Drive Encryp- 
tion\Operating System Drives GPO con¬ 
tainer. Double-click Require additional 


authentication at startup —for configuring 
Server 2008 R2 or Windows 7 systems— 
or Require additional authentication at 
startup (Windows Server 2008 and Win¬ 
dows Vista) —for configuring Server 2008 
or Vista systems. Then, click Enabled to 
enable changes to the policy, as Figure 2 
shows. 

If the Allow BitLocker without a com¬ 
patible TPM option isn't selected, select it 
now. Click OK and close GPE. Use gpup- 
date.exe to update the GPO settings on 
your machine from the command line. 

After you make the GPO change, the 
BitLocker Drive Encryption wizard will no 
longer generate a TPM error during initial¬ 
ization. The wizard will offer the Require 
a Startup key at every startup option as 
the only startup preference. When you 
click this startup preference, the wizard 
will prompt you to insert a removable 
USB memory device to save the startup 
key. After the BitLocker Drive Encryption 
wizard completes successfully, you'll be 
prompted to plug in the BitLocker USB key 
every time your system boots. 

A similar GPO setting is available in 
Server 2008 and Vista. This setting is located 
in the \Computer Configuration\Adminis- 
trative Templates\Windows Components\ 



Figure 2: Configuring BitLocker to work without a TPM 
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■ v; BitLocker Drive Encryption [D:] 

Choose how you want to unlock this drive 
n Use a password to unlock the drive 

Passwords should contain upper and lowercase letters, numbers, spaces, and symbols. 

Type your password: | | 

Retype your password: | | 

H Use my smart card to unlockthe drive 

You will need to insert your smart card. The smart card PIN will be required when you unlockthe drive. 

[n| Automatically unlock this drive on this computer 
How do I use these options? 

Next | [ Cancel | 

Figure 3: Setting the unlock option in the BitLocker Drive Encryption wizard 


BitLocker Drive Encryption GPO contain¬ 
er's Control Panel Setup: Enable Advanced 
Startup Options entry. 

On Server 2008 and Vista, you need 
to prepare your OS drive before you can 
protect it with BitLocker. BitLocker requires 
a special system partition to store system 
files that can't be encrypted and that are 
required to start or recover the OS. You can 
create this special system partition using the 
BitLocker Drive Preparation Tool. For infor¬ 
mation about the tool, including instruc¬ 
tions for installing it, see the Microsoft 
article "Description of the BitLocker Drive 
Preparation Tool" at support.microsoft.com/ 
kb/933246. In Server 2008 R2 and Windows 
7 this tool is integrated into the BitLocker 
Drive Encryption wizard. 

The Encryption Process 

The BitLocker Drive Encryption wizard 
makes setup easy, if not quick. The wiz¬ 
ard can take a long time to run—possibly 
several hours depending on the drive size. 
Encrypting my 45GB data drive with Bit¬ 
Locker took about two hours. The good 
news is that the encryption occurs in the 
background and your computer is still 
useable during this time. However, I still 
recommend that you do nothing else on 
your machine until the encryption process 
is finished because your computer might 
run more slowly. 

Before you start the BitLocker Drive 
Encryption wizard, make sure you have 
a full backup of the data on the drive you 
want to protect with BitLocker. Although 


the wizard is robust, it's still possible for 
something to go wrong (e.g., a drive hard¬ 
ware failure). 

To start the BitLocker Drive Encryption 
wizard, go to the Control Panel BitLocker 
Drive Encryption applet. You'll see a list 
of all the available volumes that can be 
encrypted with BitLocker (OS, fixed, and 
removable drives). If you see a warning 
message—for example, a warning that 
there's no TPM present—then you must 
first complete the steps outlined in the 
previous section. 

In the BitLocker Drive Encryption 
applet, select Turn on BitLocker for the 
drive you want to protect to start the Bit¬ 
Locker Drive Encryption wizard. You can 
also right-click the drive icon in Windows 
Explorer and select Turn on BitLocker to 
start the wizard. 


The BitLocker Drive Encryption wizard 
presents you with a series of options to 
unlock the drive, as Figure 3 shows. These 
options include Use a password to unlock 
the drive, Use my smart card to unlock the 
drive, and Automatically unlock this drive 
on this computer. Unless you choose to 
automatically unlock the drive, you must 
provide a password or smart card and 
associated PIN when you want to access 
the protected data drive. The option to 
automatically unlock the drive is available 
only for fixed data drives if your OS drive 
is also BitLocker protected—in which case 
the data drive is automatically unlocked 
when you log on to Windows. If you want 
to use a smart card to unlock your drive, 
you need a special certificate and private 
key on your smart card. For information 
about howto obtain such a certificate from 
an internal Certification Authority (CA) or 
how to generate a self-signed certificate for 
this purpose, see Microsoft's "BitLocker 
Drive Encryption Step-by-Step Guide for 
Windows 7" at technet.microsoft.com/ 
en-us/library/dd835565(WS.10).aspx. 

The wizard gives you the option to save 
the BitLocker recovery password to differ¬ 
ent locations: to a USB flash drive, to a file, 
or as a printed document. The BitLocker 
recovery password is of critical importance; 
it lets you regain access to your data if you 
forget your unlock password or lose your 
unlock smart card. I recommend that you 
always save at least two copies of the recov¬ 
ery password. If you use a USB drive, you 
shouldn't use the drive for anything else. 
Note that you can use the BitLocker Drive 
Encryption applet's Manage BitLocker 


■- i^r 

{Bp 

v j ‘ix BitLocker Drive Encryption (D:) 

This drive is protected by BitLocker Drive Encryption 

Type your password to unlock this drive 

O Show password characters as I type them 

[Vj Automatically unlock on this computer from now on 
I forgot my password 

Why do I have to unlock the drive? 

I ir Unlock | | Cancel | 

Figure 4: Unlocking a BitLocker-protected data drive 


www.windowsitpro.com 


We're in IT with You 


Windows IT Pro 


FEBRUARY 201 1 45 













































■ BITLOCKER WITHOUT TPM 


option to make more backups of the recov¬ 
ery key after the wizard is finished. 

At this point the wizard presents you 
with a screen that asks whether you actu¬ 
ally want to start the encryption process. 
Click Start Encrypting to proceed. 

When the encryption process starts, 
Windows displays an encryption progress 
bar. On removable data drives you have the 
option to pause and resume the encryption 
process (use the Pause button to pause). 
This option is useful if you need to remove 
the drive during encryption. The pause and 
resume option isn't available during OS or 
fixed drive encryption. Click Close when 
the encryption process completes. 

You can easily see whether a drive is 
BitLocker protected by checking its drive 
icon in Windows Explorer. When a drive is 
encrypted its drive symbol is covered with 
a lock symbol. A gold closed lock indicates 
that the drive is locked; a gray open lock 
is displayed after you unlock the drive. To 
unlock an encrypted drive, right-click it 
and select Unlock Drive. The unlock screen 
appears, where you can enter your unlock 
password, as Figure 4 shows. Note that the 
Automatically unlock on this computerfrom 
now on option can be used only if your OS 
drive is also BitLocker protected. 

BitLocker's File-Integrity Checking 

Using BitLocker with a TPM for protecting 
an OS drive has advantages and disadvan¬ 
tages. In addition to volume-level encryp¬ 
tion, BitLocker also provides a file-integrity 
checking mechanism. As I mentioned ear¬ 
lier, this mechanism automatically assesses 
the status of boot files such as the BIOS, 
MBRs, and the NTFS boot sector when the 
system boots and before the OS starts. If a 
hacker inserts malicious code into one of 
the boot files or modifies one of the files, 
BitLocker will detect it and block the OS 
from starting. BitLocker will then enter 
into recovery mode, and you'll need the 
BitLocker recovery password or recovery 
key to regain access to the system. 

Despite the advantages of BitLocker's 
file-integrity checking mechanism, Bit¬ 
Locker adds TPM setup and manage¬ 
ment complexity to your environment. 
These disadvantages shouldn't be under¬ 
estimated in large BitLocker deployments, 
especially from a total cost of ownership 
(TCO) point of view. 


Improved Security 

BitLocker can add great security value to your 
Windows platforms for protecting OS, fixed, 
and removable data drives, even without a 
TPM. The Server 2008 R2 and Windows 7 ver¬ 
sion of BitLocker competes with third-party 
encryption tools—and surpasses them when 
it comes to integration with the Windows OS 
and its built-in management tools. ^ 
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Deep Server Monitoring 

Even on the Internet Behind Firewalls..? 

Now if s Simple, Secure and Easy! 

PA Server Monitor 4.0 monitors servers and devices securely from anywhere, because It 
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P owerShell functions can accept input in one of two 
ways: Using parameters or the pipeline. Parameters 
are simple to understand because you define them as 
a part of a function. For example, the following code 
creates the Out-Item function, which has a parameter 
named $item: 

function Out-Item($item) { 

} 

You can also create the function this way: 

function Out-Item { 
param($item) 

} 


uses a process script block to output every item it receives as 
pipeline input. 

Alternatively, you can write a function that processes input from 
a parameter: 

function Out-Item { 
param($item) 

$i tem 

} 

However, this 
approach isn't 
very flexible 
because the func¬ 
tion determines 
how you must 
pass input to it. 


Listing 1: The Basic Approach 


JLfunction Out-Item { 

(a) [CmdletBindingO] 
param( 

(Bj [Parameter(ValueFromPipeline=$TRUE)] 

$i tem 

(C) begin { $n = 0 } 

Np process { 

$item 

Sn++ 

} 

end { Write-Host "Output $n item(s)" } 


In this case, you're defining the function's parameter using the 


param statement. 

However, much of PowerShell's power and flexibility comes 
from its ability to process objects as they pass through the pipeline. 
In PowerShell's pipeline processing, the output from one cmdlet, 
function, or script becomes the input for another cmdlet, function, 
or script. For example, in the code 

Get-Childltem C:\ | 

Where-Object { $_.Length -eq 0 } 

the $_ variable represents each object as it passes through the pipe¬ 
line. To have a function process pipeline input, you can use the $_ 
variable inside a process script block. For example, the function 

function Out-Item { 
process { 

$_ 

} 

} 




Listing 2: Approach to Use When You Don't Use Default 
Parameter Values 


function Out-Item { 

[CmdletBindingO] 

param( 

[Parameter(ValueFromPipeline=$TRUE)] 

Si tem 

) 

begin { 

SPipelinelnput = 

-not SPSBoundParameters.ContainsKey("item") 
Write-Host "Pipeline input? SPipelinelnput" 

$n = 0 

} 

process { 

if (SPipelinelnput) { 

$_ 

$n++ 

} 

else { 

Sitem | ForEach-Object { 

$_ 

$n++ 

} 

} 


} 

end { Write-Host "Output $n item(s)" } 
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Figure 1: Sample results from the code in Listing 1 



So far, the examples I've shown you 
demonstrate how to write two types of 
functions—one that processes input from 
the pipeline and one that processes input 
from a parameter. But what if you want to 
use a single function that can process input 
from the pipeline or a parameter? This is 
now possible with PowerShell 2.0. 

The Basic Approach 

Listing 1 shows the basic approach for writ¬ 
ing a function that can accept input from 
either the pipeline or a parameter. This 
code uses a process script block to process 
input from the pipeline and a param state¬ 
ment to process input from a parameter. 
Notice the addition of the CmdletBinding 
attribute in the function's param statement 
(see callout A) and the Parameter attribute 
in the $item parameter (see callout B). 
The CmdletBinding attribute, which is 
new in PowerShell 2.0, enables cmdlet-lilce 


behavior for the function. This allows the 
function to accept input using either the 
pipeline or a parameter. 

As callout C shows, the Out-Item func¬ 
tion also includes begin and end script 
blocks to report how many items the func¬ 
tion outputs. (The begin and end script 
blocks execute only once, whereas the 


process script block executes once per 
item.) 

Figure 1 shows the Out-Item function in 
Listing 1 working with pipeline input (the 
first command) and parameter input (the 
second command). If you look carefully at 
the second command's output, you'll notice 
that the Out-Item function reports that it 
processed only one item. When you use 
this basic approach, all the items are pro¬ 
cessed and output in one pass. This can be 
problematic if there are numerous items or 
if the items are slow (e.g., you're retrieving 
the properties of files over a slow network 
connection). For these reasons, I don't rec¬ 
ommend using this basic approach. 

A Better Approach 

Instead of the basic approach in Listing 1, 
which accesses all the items at once, it's 
better to access the parameter items one at 
a time, just as if you were using the pipeline. 
To do this, you need a way for the function 
to detect if its input is coming from the 
pipeline. One technique is to check whether 
the $item parameter is bound (i.e., used 
when calling the function). When the $item 
parameter is bound, the input comes from 
the parameter. When the $item parameter 
isn't bound, the function assumes the input 
is coming from the pipeline. 

The $PSBoundParameters variable is 
a hash table of bound parameters, and 
you can use its ContainsKey method to 
check whether the $item parameter is 
bound, as Listing 2 shows. In callout A, the 
Out-Item function uses the $PSBoundPa- 
rameters variable to check whether the 
$item parameter is bound. (Note that 
when you use the ContainsKey method, 
you don't include the $ character with the 
parameter name.) The $PipelineInput 



Figure 2: Sample results from the code in Listing 3 
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variable will be True when the parameter 
isn't bound and False when the parameter 
is bound. 

Callout B shows how the function uses 
the $PipelineInput variable. If input is 
from the pipeline, the function outputs the 
items ($_). Otherwise, it uses the ForEach- 
Object cmdlet to access each item in the 
parameter. 

Approach to Use for Defined Default 
Parameter Values 

You can't use the approach demonstrated 
in Listing 2 if you need to define a default 
value for a parameter using code such as 

function Out-Item { 

[CmdletBindingO] 

param( 

[Parameter(ValueFromPipeline=$TRUE)] 
$item="Default" 

) 

} 

Setting the $PipelineInput variable using 
the line of code from callout A in Listing 
2 won't work because the parameter isn't 
bound. As a result, the function will erro¬ 
neously assume the input is coming from 
the pipeline. 

Instead, you can follow the approach 
demonstrated in Listing 3. The code in call¬ 
out A performs two tests to verify whether 
the input comes from the pipeline. Lirst, it 
makes sure that the parameter isn't bound. 
Second, it makes sure that the parameter 
doesn't exist. 

Ligure 2 shows this code in action. The 
first command shows the Out-Item func¬ 
tion's default parameter value. The second 
command specifies the input from the 
pipeline. The third command provides the 
input from the parameter. 

Two Useful Approaches 

The two approaches I demonstrated are 
quite useful because they let your func¬ 
tions process input, no matter whether the 
input comes from a parameter or the pipe¬ 
line. Which approach to follow depends 
on whether your function uses a default 
parameter: 

• If your function will be processing input 
from the pipeline or a parameter, and 
the parameter doesn't contain a default 


value, you can follow the approach in 
Listing 2. 

• If your function will be processing input 
from the pipeline or a parameter that 
contains a default value, you can follow 
the approach in Listing 3. 

You can download the code for these two 
approaches by going to www.windowsitpro 
.com, entering 129159 in the InstantDoc ID 


box, clicking Go, then clicking the Down¬ 
load the Code Here button. ^ 

InstantDoc ID 129159 


Bill Stewart 

(bstewart@iname.com) is a 
scripting guru who works in the 
IT infrastructure group at Emcore 
in Albuquerque, New Mexico. He 
has written numerous articles 
about Windows scripting and is a 
moderator for Microsoft's Script¬ 
ing Guys forum. 
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Make the most 
of a challenging 
browser- 
management 
scenario 


I must admit that when I sat down to write this article, I was tempted to say, "If you want to man¬ 
age your browser's configuration from Group Policy, migrate to Firefox.” Why would a dyed-in- 
the-wool Group Policy fan such as myself make such a statement? Well, Internet Explorer (IE) 
configuration through Group Policy has been a mess for a long time. With no fewer than three 
separate and sometimes conflicting methods for configuring IE through Group Policy, I would 
be hard-pressed to tell anyone that using this technology is easy. But given the importance of 
locking down IE in many organizations, you must face this challenge and make the best of it. In this 
article, I'm going to offer some tips and best practices to help navigate the morass that is Group Policy 
management of IE. 


by Darren Mar-Elia PickYour Poison 

7 As I mentioned, there are three main methods for managing IE configuration through Group Policy: 

• Administrative Templates settings under Computer Configuration (or User Configuration^ 
Administrative Templates\Windows Components\Internet Explorer: These settings are the 
typical Administrative Templates policy lockdowns, which set certain options in IE and which 
cannot be changed by the user. 

• User Configuration\Windows Settings\Internet Explorer Maintenance: This is the original 
mechanism by which you could configure IE through Group Policy. Early versions of this 
mechanism had lots of bugs, and configuration behavior was unpredictable. The Windows 7 
version is more reliable. 

• User Configuration\Preferences\Control Panel Settings\Internet Settings: This Group Policy 
Preferences-based IE configuration method fills the gaps of the previous two methods, but it 
doesn't cover some key areas. 


The bottom line is that, for most scenarios you're likely to encounter, you can't get away with using 
only one of these methods. Instead, you will probably have to use two, and possibly all three, to fully 
control IE behavior on your desktops and servers. I'll take a look at what each of these methods brings 
to the table and at some of the behaviors you need to be aware of in each case. Additionally, I'll men¬ 
tion areas where I've seen other folks take a different tack to work around the behavior of one of these 
three methods. For example, I've seen people simply write registry scripts to modify the underlying 
registry values of the IE options they want to control (e.g., proxy settings) rather than rely on the poor 
behavior of IE Maintenance policy. 

Administrative Templates Policy 

The IE Administrative Templates options are available under both the Computer Configuration and 
User Configuration sections of a Group Policy Object (GPO). This means that you can set them to 
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Figure 1: Disabling IE features through Administrative Templates policies 


apply to all users of a given set of machines 
(Computer Configuration) or to specific 
targeted users (User Configuration). It's 
generally a good idea to avoid conflicts 
between per-computer and per-user poli¬ 
cies for a particular user who is logged on to 
a particular machine. When conflicts occur, 
the per-computer settings usually win, but 
that's not always the case, and you should 
verify this behavior if you find that you are 
unavoidably put in a conflict situation. I 
usually stick to defining only per-user IE 
Administrative Templates settings, espe¬ 
cially if I plan to use the other two policy 
areas in conjunction with this one. I do 
this because the other two are per-user 
only, and that keeps things cleaner when it 
comes to targeting IE-related policy. 

When you upgrade to a new version of 
IE, that upgrade process will typically install 
a new ADM or ADMX template file on the 
system where you perform the upgrade. 
I'm sure the forthcoming IE 9 will be no 
different in this respect. If you're installing 
on Windows XP or Windows Server 2003, 
the updated file that contains all the rel¬ 
evant settings is named inetres.adm, and it 
will be saved in the C:\Windows\inf folder 
on the system where you perform the IE 
upgrade. You'll have to manually copy the 
inetres.adm file to a domain-based GPO if 
you want to start using those new settings. 
If you're working on Windows Vista, Win¬ 
dows 7, Windows Server 2008, or Server 
2008 R2, you probably know that Microsoft 
shifted to the new ADMX template file for¬ 
mat. Therefore, when you install a new ver¬ 
sion of IE, an updated inetres.admx file is 
saved in the C:\Windows\policydefinitions 


folder on your upgraded Windows system. 
If you've deployed an ADMX Central Store 
in your Active Directory (AD) domain, 
you'll have to manually copy the inetres 
.adm file into it, overwriting the existing 
version of this file. 

Administrative Templates strengths. 
The IE Administrative Templates settings, 
like other Administrative Templates set¬ 
tings, are primarily designed to enforce 
behaviors on your IE users. When you 
configure an IE Administrative Templates 


setting, the user typically cannot undo 
it—the setting appears dimmed, or a cor¬ 
responding tab is removed. For example, 
you can hide the Security tab in the Inter¬ 
net Options dialog box of this policy area, 
and the user won't see those options at 
all. In fact, when it comes to settings for 
disabling IE configuration features, you'll 
most likely find them all in this policy area, 
as Figure 1 shows. 

Generally, it works best to use Adminis¬ 
trative Templates to configure a particular 
setting and to remove that setting from the 
menu altogether so that the user can't even 
access it. Table 1 lists some common tasks 
that you can perform with this policy area 
and describes where you can access those 
settings. 

Administrative Templates weaknesses. 
The biggest weakness of IE Administrative 
Templates is that you can't use this func¬ 
tionality to configure many areas of IE 
behavior. The list of items you can't config¬ 
ure includes the home page, proxy settings, 
and the options on the Advanced tab of 
the Internet Options dialog box (on the IE 
Tools menu). Additionally, if you want to 
configure a setting but also want to leave 
the user free to modify it, IE Administrative 


Table 1: Common Administrative Templates tasks 
Task Policy Path 


Control which domains 
are in the trusted sites 


Setting the Pop-up 
Blocker allow list 


Disable tabs under 
Tools/Internet Options 


Controlling browser 
history behavior 


Computer (or User) 
Configuration\Administrative 
TemplatesXWindows 
ComponentsXInternet Explored 
Internet Control PaneIXSecurity 
PageXSite to Zone Assignment 
List 


Computer (or User) 
ConfigurationXAdministrative 
Te m p I atesXWi n d ows 
ComponentsXInternet ExplorerX 
Pop-up allow list 

Computer (or User) 
ConfigurationXAdministrative 
Te m p I atesXWi n d ows 
ComponentsXInternet ExplorerX 
Internet Control Panel 

Computer (or User) ConfigurationX 
Administrative TemplatesX 
Windows ComponentsXDelete 
Browsing History 


Comment 


Note that you can configure 
site-to-zone assignments both 
here and in Internet Explorer 
Maintenance policy. However, 
these policy areas behave 
differently and should not be 
used together. This policy area 
configures a zone and does not 
let the user change or even see 
what sites are in that zone. 

Lets you set the list of domains 
that are allowed to show pop- 
ups. Doesn't let the user change 
the list after it is set. This can 
also be set from IE Maintenance. 

This is the only policy area 
where you can do this. 


Also available under the Group 
Policy Preferences Internet 
Settings feature. 


Turn off checking for Computer (or User) ConfigurationX 

Also available under the Group 

IE updates Administrative TemplatesX 

Policy Preferences Internet 

Windows ComponentsXInternet 

Settings feature. 

ExplorerXInternet Control PaneIX 


Advanced PageXAutomatically 


check for IE updates 
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Figure 2: Importing IE Security Settings into IE Maintenance Policy 


Templates is probably not where you're 
going to do this, since none of its mandates 
can be changed by the user. 

IE Maintenance Policy 

As I mentioned earlier, I have a love-hate 
relationship with this policy area. Older 
versions of IE Maintenance were super 
buggy, and this led to a lot of frustration. 
That said, this mechanism was the only 
policy-based method for configuring set¬ 
tings such as proxy addresses until Internet 
Settings in Group Policy Preferences came 
along. Additionally, it's still the only way 
to configure site-to-zone assignments that 
doesn't prevent your users from adding 
their own sites to zones if they need to. 

However, there's still some irritating 
behavior in IE Maintenance. When you first 
configure an IE Maintenance policy and 
you want to define, for example, Security 
Options, you open the interface in Group 
Policy Editor (GPE) to find a dialog box that 
resembles Figure 2. 

This seemingly innocuous interface 
is important to understand. When you 
choose to import settings into the policy, 
the UI takes your current IE security set¬ 
tings from the machine on which you're 
editing the GPO and imports them all- 
lock, stock, and barrel—into the IE Main¬ 
tenance tool. If you go to another machine 
that's running a different version of Win¬ 
dows, it will import those IE settings into 
your policy. If that second machine has a 
different version of IE installed, you might 
see different options as well. This could 


have many unintended consequences. 
Therefore, I strongly recommend that you 
always create and edit IE Maintenance 
policy from the same machine or at least 
from the same version of Windows and of 
IE every time. In most cases, if you're edit¬ 
ing IE Maintenance policy from a newer 
version of Windows (e.g., Windows 7 and IE 
8), those settings are down-level compat¬ 
ible (e.g., setting a trusted sites zone from 
IE Maintenance on Windows 7 and IE 8 will 
still work when processed by a machine 
running XP SP3 and IE 7), but it's always 
best to test this behavior for any settings 
that you want to deliver. 

IE Maintenance strengths. By and 
large, I recommend that people use this 
tool only when they need to control settings 
that can't be controlled from anywhere 
else. IE Maintenance policy is not really 
policy, in that it doesn't prevent the user 


from changing settings that you define. If 
you want to then prevent the user from 
changing those settings, you must also use 
the restrictions I mentioned in the Admin¬ 
istrative Templates section. For example, if 
I use IE Maintenance to deliver proxy set¬ 
tings, I must also enable the User Configu- 
ration\AdministrativeTemplates\Windows 
ComponentsXInternet Explorer\Disable 
Changing Proxy Settings policy. Think of 
IE Maintenance policy as a way to set 
preferences that users can change unless 
you prevent them from doing so. How¬ 
ever, these preferences will be reinforced 
upon any refresh of Group Policy, unless 
you're explicitly using IE Maintenance in 
what's called Preference mode, which can 
be enabled by right-clicking the Internet 
Explorer Maintenance node in GPE and 
selecting that option. When Preference 
mode is enabled, your IE Maintenance 
policy preferences are applied once to the 
user and then never again. 

Table 2 lists some of the common areas 
that people often use IE Maintenance 
policy to control. 

IE Maintenance weaknesses. I've 
already indicated that IE Maintenance 
policy is a poor choice for many IE con¬ 
figuration options because it doesn't really 
enforce its settings unless you disable those 
UI elements by using Administrative Tem¬ 
plates policy. If there are IE settings that 
you have to configure through IE Main¬ 
tenance (e.g., privacy), just be aware that 
the behavior of this policy area can be a bit 
flaky. If you find that your users aren't get¬ 
ting some settings you think they should, 
try issuing a Gpupdate /force command at 
the client workstation for any user who is 


Table 2: Common IE Maintenance tasks 


Configuring proxy 
settings 


Configuring the 
default home page 


Configuring privacy 
settings 


Centrally enabling or 
disabling browser 
add-ons 


Policy Path 


User ConfigurationX 
Windows SettingsXIE 
Maintenance\Connection\ 
Proxy Settings 

User ConfigurationX 
Windows SettingsX 
IE MaintenanceXURLsX 
Important URLs 

User ConfigurationX 
Windows SettingsXIE 
MaintenanceXSecurityX 
Security Zones and 
Content Ratings 

User ConfigurationX 
Windows SettingsXIE 
MaintenanceXPrograms 


Comment 


Can also be configured from Group 
Policy Preferences 


You can also configure pre-defined 
favorites from this section 


This is the only place where you can 
configure privacy settings such as 
how cookies are handled by IE 


You can also manage this from 
Administrative Templates, under 
Security Features\Add-on management 


52 FEBRUARY 2011 Windows IT Pro 


We're in IT with You 


www.windowsitpro.com 





































MANAGING IE» 


bmdkvg M • Ncfttpxd 
b»* L«M tannM *»» I 

11/01/2010 18:42:52 


11/01/2010 10:42:52 
11/01/2010 10:42:52 
11/01/2010 10:42:52 
11/01/2010 10:42:52 
11/01/2010 18:42:52 


11/01/2010 10:42:52 
11/01 2010 10:42:52 
11/01/2010 18:42:52 
11/01/2010 10:42:52 
11/01/2010 10:42:52 
11/01/2010 10:42:52 
11/01/2010 10:42:52 
11/01/2010 18:42:52 

11/01/2010 10:42:52 
11 01 2010 10:42:52 
11/01/2010 10:42:52 
11/01/2010 10:42:52 
11/01/2010 10:42:52 


<S 


cow Initialized with :, ok success code. 


Branding internet Explorer... 

coMiand line is - /»ode:gp /1ns:"C:\users\testuser\*ppoata\uocal\Microsoft\internet txplorer\custo» 

Global branding settings are: 

--— -180020T' " 


Contrxt Is (0x04000200) "Croup Policy, spawned In a child process": 

i file is ~C: users testuser Appoata\Local\Hicrosoft / 


___Hi_JJ_____ internet Explorer\custoa set 

’C:\osers\testuser\Aj>pOata\LocalN>«1cro>oftMnternet Explorer\Cu»tow Set 


Processing wlninet setup— 

Done. 

processing current user policies and restrictions... 

! processtxtueginfsectlonMelper for sect1on"fcxtneginf.Mkcu". 

1 Key Is "SOrTWAer\M(crosoft\Act1ve Set up\Irw, tailed Ccx^ianents\(A5(WeiA8 17CF 4bJf acre 4F 
wot Delaying executing c:\users\testuser\Appoata\Local\Mlcrosoft internet txplorercustow s 
"seczones.inf" processed successfully. 

1 Key is "SOFTWARE Microsoft Active setup installed coeponents\{A50901A8-J7EF-4bif-8CFC-4F 
Machine Is not hardened 
Done. 

Refreshing browser settings... 

■roadcasting "windows settings change" to all top level windows... 

Oone. 

Done. 

oone processing group policy. 


Figure 3: Viewing IE Maintenance policy logging in brndlog.txt 


Table 3: Common Group Policy Preferences Internet Settings tasks 

Task 

Policy Path 

Comment 

Configuring proxy 
settings 

User Configuration\Preferences\ 
Control Panel SettingsMnternet 
Settings 

Can also be configured from 
Group Policy IE Maintenance 


Configuring the 
default home page 

Configuring advanced 
settings 


User Configuration\Preferences\ 
Control Panel SettingsMnternet 
Settings 

User Configuration\Preferences\ 
Control Panel SettingsMnternet 
Settings 


Can also be configured from 
Group Policy IE Maintenance 

This is the only place where you 
can configure all the options 
on the Advanced tab of the 
Internet Options dialog box 


having issues. Doing so might sometimes 
jumpstart IE Maintenance policy into doing 
what it's supposed to do. Additionally, IE 
Maintenance does automatically maintain 
diagnostic logs in %userprofile\Appdata\ 
local\Microsoft\Internet Explorer (in Win¬ 
dows 7) or in %userprofile%\application 
data\Microsoft\Internet Explorer (in XP) in 
the brndlog.txt file, as Figure 3 shows. 

Group Policy Preferences Internet 
Settings 

Group Policy Preferences is a relatively 
new feature that Microsoft added to Group 
Policy for the Server 2008 release. You don't 
need Server 2008 to use the feature—any 
XP-and-later client can process Group Pol¬ 
icy Preferences settings by using the cor¬ 
rect Windows update that adds the Group 
Policy Preferences Client Side Extensions. 
However, you do need at least one Server 
2008, Server 2008 R2, Windows 7, or Vista 
system to define and manage Group Policy 
Preferences settings. That can't be done 
from XP or Windows 2003. The most recent 
release of Group Policy Preferences, which 
shipped with Windows 7 and Server 2008 
R2, provides support for configuring IE 5, 
IE 6, IE 7, and IE 8.1 suspect that when IE 
9 ships, Microsoft will update Group Policy 


Preferences to support that version as well 
(although you might have to wait for a new 
OS for this to be added). 

The Internet Settings capability is kind 
of an odd duck. As the name implies, many 
of the settings are actually preferences that 
configure but do not enforce IE options, 
just like IE Maintenance policy. On the 
other hand, the Group Policy Preferences 
Internet Settings policy area provides some 
features that IE Maintenance doesn't, such 
as the Item-Level Targeting feature that is 
common to all Group Policy Preferences 
settings and that lets you deliver preference 
settings based on very granular targeting 
(e.g., by OS version or by laptop vs. desktop 
categories). Additionally, it contains some 
areas of IE control that the two previously 
mentioned policy areas don't. Table 3 high¬ 
lights some of these areas. 

Group Policy Preferences Internet Set¬ 
tings strengths. The ability to leverage 
item-level targeting is a big advantage to 
using Group Policy Preferences Internet 
Settings, assuming you need that kind of 
granularity for targeting IE configuration 
settings. Group Policy Preferences Inter¬ 
net Settings also provides a much more 
straightforward UI in GPE, literally emulat¬ 
ing the configuration tabs in the actual IE 


product for each supported version. And it 
explicitly supports various IE configuration 
options for the last four major versions of 
IE in a single UI, which is not something 
you can find in the other two policy areas 
unless you really work at it. Finally, as illus¬ 
trated in Table 3, this is the only policy area 
that lets you configure all the settings on 
the Advanced tab in the Internet Options 
dialog box. 

Group Policy Preferences Internet Set¬ 
tings weaknesses. Similar to IE Mainte¬ 
nance, Group Policy Preferences Internet 
Settings suggests but does not enforce IE 
settings. You still need to use Adminis¬ 
trative Templates to lock down UI areas 
that you configure through Group Policy 
Preferences. Additionally, there is a curi¬ 
ous inconsistency about which settings 
are supported here. For example, on the 
Security tab, you can configure zone levels 
(e.g., high, medium-high), but you can't 
configure site-to-zone assignments on 
the very same page—they're inexplicably 
unavailable (appear dimmed). The same 
holds true on the Privacy tab, where you 
can configure pop-up allow lists but not 
any cookie-handling options. I can only 
imagine that Microsoft chose this approach 
to avoid muddying the already dark waters 
of IE configuration in the other two areas. 

Getting on Top of IE 

As I think I've illustrated, the policy picture 
isn't altogether clear where configuring IE 
is concerned. For example, it's unfortunate 
that Microsoft didn't choose to use Group 
Policy Preferences as a platform for expos¬ 
ing all IE configuration settings and for 
really cleaning up their implementation. 
As a result, you have to choose your options 
carefully from the three different policy 
areas that I've discussed. Or, if the behavior 
of these three areas doesn't suit your needs, 
you might have to resort to registry scripts 
or to the IE Administration Kit (IEAK) to 
muck with IE configurations. ^ 
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Combine 
built-in and 
third-party 
tools to create a 
comprehensive 
dashboard 
solution 

by Cameron Fuller 


M icrosoft System Center Operations Manager 2007 R2 provides a solid platform for 
monitoring websites, servers, network infrastructure, and applications. In “Opera¬ 
tions Manger Key Performance Indicators" (January 2011, InstantDoc ID 128969), 
I discuss Operations Manager's integration of several important Key Performance 
Indicators (KPIs) that monitor how well a server is performing. Operations Manager 
also has several dashboard options that let you use a single dashboard to determine 
whether your websites, applications, servers, and network infrastructure are functional. In addition, 
third-party products are available to help provide a comprehensive dashboard solution. 

Built-In Dashboards 

Several dashboards are available for Operations Manager out of the box. Operations Manager uses 
views to display monitored data. Views can be created for alerts, events, state, performance, diagrams, 
task status, web pages, and dashboards. The dashboard option lets you use a single screen to display 
multiple views (from two to nine views) in Operations Manager. Figure 1 is an example dashboard 
view in which you can see the server state (top section), server alerts (middle section), and selected 
performance counters (bottom section). 

It's common to create a dashboard view that contains three views that are in turn scoped to a 
group. (A group is created with specific servers, with views limited to that scope.) This approach lets 
server administrators quickly see relevant information for only their servers in a single view based on 
the dashboard view. 

The Operations Manager dashboard displays multiple views of Operations Manager data—including 
websites, which I discuss later in the article. However, it doesn't provide an intuitive state view for diverse 
types of entities in the same screen (such as the health of a server and a distributed application), nor 
does it provide any charts, graphs, or gauges beyond the performance view in Figure 1. This dashboard 
is the simplest from an installation and prerequisite perspective because it has no prerequisites other 
than Operations Manager. The dashboard functionality is built in to the product. 


Microsoft Products with Operations Manager Dashboards 

Microsoft has several options for providing Operations Manager dashboards, including Service Level 
Dashboard (SLD) 2.0, Visio 2010 Add-in for System Center Operations Manager 2007 R2, Microsoft 
System Center Configuration Manager 2007 Dashboard, and Microsoft System Center Service Man¬ 
ager 2010 Dashboard. Each of these dashboards provides additional capabilities beyond the built-in 
Operations Manager dashboard view. (For additional information about using Operations Manager 
dashboards, including where to download each of the following dashboards, see the online Learning 
Path—www.windowsitpro.com, InstantDoc ID 129233.) 
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Service Level Dashboard 2.0. SLD 2.0 
uses new Operations Manager 2007 R2 
functionality to provide tracking for service 
levels. This dashboard is useful in tracking 
service level objectives (SLOs) for Opera¬ 
tions Manager entities, such as distributed 
applications. 

SLD 2.0 requires Windows Share- 
Point Services (WSS) 3.0 SP1 or Microsoft 
Office SharePoint Server (MOSS) 2007 SP1 
(SharePoint 2010 isn't currently supported) 
because the dashboard is provided through 
the following Web Parts: 

• AdminFilter—Used to select which 
service levels (up to 6) are displayed 
on the dashboard, refresh rates (30 
minutes by default), how much data 
the view will show (past 60 minutes, 24 
hours, 7 days, 30 days, 60 days, week 
to date, past week, month to date, past 
month, quarter to date, past quarter, 
year to date, past year), and whether 
the aggregation type is hourly or daily. 

• SLANamesWebPart—Shows the 
health of the target(s) chosen in the 
AdminFilter. 

• SLOChart—Shows the health history of 
the highlighted target. 

• SloWebPart—Shows a gauge for the 
highlighted target. 

• Targetlnstances—Shows header 
information for the highlighted web 
target. 

• UserFilter—Used to select the time 
zone, data aggregation, dashboard 
duration, and whether to use only 


business hours—and if so, which days 
of the week and times. 

• MasterContainer—Contains the 
SLANamesWebPart, SLO Chart, 
SloWebPart, and Targetlnstances, 
combined to form a unified dashboard 
(see Web Figure 1, www.windowsitpro 
.com, InstantDoc ID 129233). 

A distributed application exists to model 
the health state for Operations Manager. 
You can configure Service Level Tracking 
(SLT) to track the SLOs 
for the Operations 
Manager distributed 
application against 
an SLO goal that you 
define. In the exam¬ 
ple that Web Figure 2 
shows, a monitor state 
SLO was created to 
track the availability of 
the Operations Man¬ 
ager distributed appli¬ 
cation. After this SLO 
is defined in Opera¬ 
tions Manager, you 
can select SLO from 
the AdminFilter so that 
the SLO appears in the 
dashboard, as Web 
Figure 2 shows. 

SLD 2.0 can also 
collect multiple met¬ 
rics for a system, such 
as the percentage of 


processor utilization and the percentage of 
memory committed on the system. To view 
these metrics, create service-level tracking 
for an object and define multiple SLOs (in 
this case, a collection rule SLO). Both of 
these SLOs can be displayed in SLD 2.0, 
showing multiple metrics for the system. 
For example, Web Figure 2 shows both the 
processor utilization and the percentage of 
memory committed on the server. 

SLD 2.0 lets you easily track SLOs to 
show an overview for various Opera¬ 
tions Manager metrics. The dashboard 
is designed to work only from the SLOs, 
which are defined in Operations Manager's 
SLT. SLD 2.0 doesn't include any graphs 
or gauges other than those shown in Web 
Figure 1 and Web Figure 2. Overall, this 
solution provides intuitive dashboard func¬ 
tionality for service-level-related items in 
Operations Manager. 

Because SLD 2.0 uses websites to dis¬ 
play the dashboard, you can easily inte¬ 
grate these websites into the Operations 
Manager console by creating a web page 
view and defining the name, description, 
and target website. (I discuss this concept 
in more detail later in the article.) 

Visio. The Visio 2010 Add-in for Sys¬ 
tem Center Operations Manager 2007 R2 
lets you state-enable Visio diagrams. This 
add-in is useful for integrating application, 
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Figure 2: Top five alerts by alert count 
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Figure 3: Top five alerts by repeat count 


network, data center, or server rack dia¬ 
grams into Operations Manager to make 
the entities' health states available for use 
in the diagrams. 

Visio integration requires Visio 2010 
and SharePoint Server 2010 Enterprise Edi¬ 
tion. SharePoint 2010 Enterprise is neces¬ 
sary to run Visio services. After the required 
components are installed, Visio diagrams 
can be saved to a SharePoint site as .vdw 
files, which can then be displayed in a web 
browser with status information gathered 
from Operations Manager. 

Visio integration makes it easy to take 
an existing Visio diagram and integrate 
the state of objects into a web-enabled 
Visio diagram. Web Figure 3 shows a web- 
enabled Visio diagram with health state 
integrated for the two servers shown, 
including an existing UPS that could also 
be monitored by Operations Manager and 
state-enabled. 

A benefit of Visio integration is the 
ability to take an existing Operations 
Manager diagram view and export it into 
Visio. The diagram can then be modified 
and uploaded to SharePoint. This process 
makes customizing Operations Manager 
diagram views simple. 

Visio integration with Operations Man¬ 
ager lets you blend Operations Manager 
and Visio diagrams in combined Visio 2010 


and SharePoint 2010 
Enterprise environ¬ 
ments. This dashboard 
option provides state- 
integrated views that 
can represent pretty 
much anything you can 
create in Visio; in addi¬ 
tion, the dashboard 
has a corresponding 
health state in Opera¬ 
tions Manager. How¬ 
ever, this dashboard 
solution doesn't pro¬ 
vide charts or graphs— 
which administrators 
typically require from 
dashboard products. 

Configuration 
Manager Dashboard. 
Microsoft System Cen¬ 
ter Configuration Man¬ 
ager 2007 includes a 
dashboard that can be 
configured to display Operations Manager 
dashboard information. You can generate 
dashboards that contain bar charts, graphs, 
pie charts, and gauges based on informa¬ 
tion stored in the OperationsManager or 
OperationsManagerDW databases. 

The Configuration Manager Dash¬ 
board requires WSS 3.0 or SharePoint 2007 
(SharePoint 2010 isn't currently supported) 
and uses the following Web Parts: 

• Microsoft Dashboard Configuration— 
Provides configuration for each of the 
data sets used by the Dashboard Viewer 
Web Part, including which query to run 
and which database to run it on. 


• Microsoft Dashboard Viewer—Displays 
configured data sets through a variety 
of methods, including charts, gauges, 
data grid, and score cards. 

The pie charts in Web Figure 4 and 
Web Figure 5 show the amount of free 
space and used space in the Operations 
Manager data warehouse and Opera¬ 
tions Manager database. The SQL que¬ 
ries used to create these charts are the 
same for each database (but with the data 
set defined to use OperationsManager or 
OperationsManagerDW). 

The bar charts in Figure 2 and Figure 3 
list the current top five alerts, by alert count 
and by repeat count. The SQL query used 
for the alert count bar chart is 

SELECT TOP 5 SUM(l) AS AlertCount, 
AlertStringName 
FROM Alertview WITH (N0L0CK) 

WHERE TimeRaised is not NULL and 
AlertStringName is not NULL 
GROUP BY AlertStringName, 

A1 ertStringDescri pti on, 

MonitoringRuleld, Name 
ORDER BY AlertCount DESC 

The SQL query used for the repeat 
count bar chart is 

SELECT TOP 5 SUM(RepeatCount+l) AS 
RepeatCount, AlertStringName 
FROM Alertview WITH (N0L0CK) 

WHERE Timeraised is not NULL and 
AlertStringName is not NULL 
GROUP BY AlertStringName, 

A1ertStringDescription, 


r~ 
J © 

MyDA 0] 
Web Appli... 


k 0 

MyDA 0 




0 


MyDA 
Web Appli... 


£3 


0 


Synthetic 

Transaction 


Lj§ 0 

do 

do 

d@ 

<£d 0 

Operations 0 

Default 0 

Default 0 

Live Maps 0 

Monitor My 

Manager 

Web Site 

Web Site 

v5 Web C... 

Website 


Figure 4: Distributed application translated into Live Maps 
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Figure 5: Modified Live Maps diagram 

MonitoringRuleld, Name 
ORDER BY RepeatCount DESC 

The gauge in Web Figure 6 shows the 
Operations Manager server's processor 
utilization. You can easily configure gauges 
to display any performance counters that 
Operations Manager monitors. You can 
see the SQL query used for the processor 
utilization gauge in Web Listing 1. 

The gauge in Web Figure 7 shows free 
disk space. You can see the SQL query used 
for this gauge in Web Listing 2. 

The Configuration Manager Dashboard 
provides flexible configurations for any 
charts, graphs, or gauges required for a 
dashboard. This solution is extremely pow¬ 
erful and should be seriously considered if 
you need such reports on your dashboard. 

Service Manager Dashboard. Micro¬ 
soft System Center Service Manager 2010 
includes a dashboard that seems to be 
based on the Configuration Manager Dash¬ 
board. The Service Manager Dashboard 
has the same functionality as the Configu¬ 
ration Manager Dashboard but adds tabs 
that provide multiple URLs that can be 
used to display different dashboards. 

Savision Live Maps 

Savision Live Maps (www.savision.com) is 
a third-party dashboard solution that lets 
you state-enable various types of diagrams. 
As with Visio integration, Live Maps can 
be used to provide application, network, 
data center, or server rack diagrams and to 
integrate them with Operations Manager 
so that the entities' health states are avail¬ 
able on the live map. Live Maps can also 
play sounds when an alert occurs on the 
dashboard. 

Live Maps integrates seamlessly 
with Operations Manager; the product 
installs in an existing Operations Manager 


environment on an IIS-enabled system. 
Live Maps offers dashboard solutions that 
are easy to implement, such as the prebuilt 
Operations Manager 2007 health map that 
Web Figure 8 shows. This map shows the 
health state of all Operations Manager 
components. 

One of my favorite uses to integrate 
state views is to take an existing distrib¬ 
uted application in Operations Manager 
and convert it into a dashboard view. The 
diagram views for a distributed applica¬ 
tion in Operations Manager are useful but 
they don't let you use a specific layout for 
where various pieces of the application 
are displayed or how they're labeled and 
organized. Translating a distributed appli¬ 
cation into Live Maps lets you represent 
the application in a more intuitive view, as 
Figure 4 shows. 

This Live Maps-integrated diagram 
view is useful, but it would be even more 


useful if you could change the labels and 
rearrange the diagram elements into a 
design that's more intuitive for the opera¬ 
tors who are actually monitoring the envi¬ 
ronment. The modified diagram in Figure 5 
was created by using a live map generated 
from the distributed application. 

Live Maps is extremely powerful 
because of its tight integration with Opera¬ 
tions Manager. Because the live maps are 
stored as entities in Operations Manager, 
their health state rollups can be changed. 
For example, the map in Figure 5 shows a 
health rollup in which as long as any of the 
three servers is healthy the top item (Web 
Sites) is healthy as well. Although Live 
Maps provides health state integration, 
this dashboard solution doesn't offer either 
charts or graphs—which administrators 
often require from a dashboard product. 

Savision provides a free five-map ver¬ 
sion of Live Maps. You can download this 
free version at www.savision.com/free- 
version. 

Bringing It All Together 

As I discussed in the built-in dashboards 
section, the Operations Manager console 
displays a series of views, including the web 
page view. This view lets you easily inte¬ 
grate the various dashboard technologies. 
With a unique URL for the dashboard item 
(SLD 2.0, Visio, Configuration Manager 
Dashboard, Service Manager Dashboard, 



Figure 6: Savision Live Maps and Configuration Manager Dashboard displayed in one view 
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Figure 7: Combining SharePoint's Page Viewer Web Part and Configuration Manager 
Dashboard's Dashboard Viewer Web Part 


or Live Maps), you can add these tools as 
web views that are displayed in the Opera¬ 
tions Manager console. Using the built-in 
Operations Manager dashboard view lets 
you display multiple views. Figure 6 shows 
a Savision Live Maps dashboard and the 
Configuration Manager Dashboard dis¬ 
played in the same view. 

SharePoint dashboard. If you already 
have SharePoint in your environment, you 
can use the Page Viewer Web Part to easily 


integrate websites such as those generated 
by various dashboard products. Figure 7 
shows an example of SharePoint being 
used with both the Page Viewer Web Part 
(displaying the live map on the top of the 
screen) and the Configuration Manager 
Dashboard's Dashboard Viewer Web Part 
(displaying the time required to execute a 
synthetic transaction against the website, 
the average processor utilization across 
the web servers, and recent history of 


Table 1: Dashboard Technology Services 

Dashboard Technology 

State Integration 

Service Level 
Tracking 

Charts 

Gauges 

SLD2.0 

For SLT items 

Yes 

For SLT items 

For SLT items 

Visio 

Yes 

No 

No 

No 

Configuration 

Manager Dashboard 

No 

No 

Yes 

Yes 

Savision Live Maps 

Yes 

No 

No 

No 


Table 2: Dashboard Technology Integration 


Dashboard Integration 
Technology 

Complexity 

Flexibility 

Requirements 

Operations Manager 
Dashboard 

Minimal 

Minimal 

Operations Manager 

SharePoint 

Moderate 

Moderate 

SharePoint 

PerformancePoint 

High 

Extremely 

PerformancePoint and 
SharePoint 


processor utilization on the web servers). 
SharePoint offers an extremely flexible 
method for gathering multiple dashboard 
technologies into a single unified solution 
for Operations Manager dashboards. 

PerformancePoint dashboard. 
Another option to seriously consider when 
integrating multiple dashboard technol¬ 
ogies is Microsoft Office Performance- 
Point Server. PerformancePoint is built 
on SharePoint and is used to generate 
dashboards and scorecards that can be 
integrated to gather information from 
Operations Manager. One of the primary 
benefits of using PerformancePoint to dis¬ 
play OperationsManager metrics is the 
ability to view numerous dashboard items 
in a noninteractive dashboard. For exam¬ 
ple, this option works well in a network 
operations center or for displaying real¬ 
time dashboard data in an organization. 

Swiss Army Approach 

No single Operations Manager dashboard 
solution includes all the information you 
might want in a dashboard (e.g., state 
integration, service-level tracking, charts, 
gauges). Using dashboards in Operations 
Manager is much like using a Swiss Army 
knife: A variety of options let you integrate 
different dashboard solutions. 

Table 1 summarizes the services pro¬ 
vided by the dashboard technologies that 
I discuss in the article. Table 2 summa¬ 
rizes the options available for integrating 
these dashboard solutions, including their 
functionality. 

Operations Manager 2007 has numer¬ 
ous options for robust dashboard function¬ 
ality. Which dashboard options you choose 
will vary depending on your organization's 
requirements. For more information about 
using Operations Manager dashboards, see 
the online Learning Path. ^ 
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FinallySecure Enterprise Adds Web 
Management Console 

SECUDE has added a web-based man¬ 
agement console to FinallySecure, its full 
disk encryption software solution. The 
FinallySecure Management Console 
(FSMC) is a central management solu¬ 
tion that lets IT administrators remotely 
configure and decommission FinallySecure 
Enterprise clients in an enterprise environ¬ 
ment. The web-based Java application has 
an intuitive interface and synchronizes 
with Active Directory. New features include 
enhanced reporting; search functionality; 
an improved policy wizard; support for 
Glassfish and Apache Tomcat; and support 
for MySQL, SQL Server, and Oracle. To learn 
more, visit www.secude.com. 

Reduce Time to Identify Cause of 
Incident Analysis 

elQnetworks announced ForensicVue, 
the first real-time forensic search engine 
to let enterprise security analysts search 


every piece of 
security data on 
their network. 

According to the 
vendor, organiza¬ 
tions can identify 
the root cause of 
incidents up to 
60 percent faster 
using Forensic¬ 
Vue than any 
other product 
on the market. 

The product can find security data in all 
formats, including log events, vulner¬ 
abilities, configurations, performance, 
availability, net flow, file integrity, USB 
monitoring, and system compliance data 
and correlate it via a single console. The 
product also supports hundreds of OSs, 
network and security devices, enterprise 
and custom applications, databases, and 
third-party products, including McAfee 
EPO, Symantec SEP, CMDBs, SIEM, and 


more. For more information, visit www 
.eiqnetworks.com. 

Spirent Extends Network Testing 
Solutions 

Spirent Communications has partnered 
with cPacket Networks to extend its live 
Ethernet network testing solutions with 
advanced products that incorporate 
cPacket technology to provide traffic 
aggregation/de-aggregation and advanced 
packet filtering. "High speed network 
infrastructure, data centers, and cloud 
computing are growing markets in which 
network and service reliability are critical to 
ensuring user satisfaction and maintaining 
SLAs,"said Sean Yarborough, senior director 
of Strategy & Business Development at 
Spirent. "cPacket's real-time inspection, 
monitoring, and aggregation capabili¬ 
ties combined with Spirent expertise in 
data center and cloud computing testing 
ensures that we are offering the best solu¬ 
tion to address customers'needs."To learn 
more, visit www.spirent.com and www 
.cpacket.com. 

TeamSupport.com Updates Help 
Desk Product 

TeamSupport.com has announced a new 
software release. New features include: 
family tickets to let admins associate sup¬ 
port tickets with one another; tagging so 
admins can organize tickets better; a ticket 
queue to let admins prioritize, organize, 
and structure their workloads; an inven¬ 
tory module to help businesses track and 
manage physical assets; email templates 


PRODUCT 

■a my y w w 

Contact Verification Server Can Verify 7 
Million Records Per Hour 


Melissa Data has launched the Contact 
Verification Server. The product is an 
appliance built by Dell that incorpo¬ 
rates six WebSmart components for 
contact data verification and enrich¬ 
ment, including address, phone, and 
email verification; name parsing; 
geocoding; and change-of-address 
processing. The server can verify more 
than 7 million records per hour and 
additional servers can be clustered 
together for increased scalability, 
throughput, and redundancy. The 
Contact Verification Server is ideal for 
companies that need to meet HIPPA, 
Sarbanes-Oxley, and other privacy and 
compliance guidelines by enriching, 


scrubbing, and validating customer data 
safely and securely. 

"The Contact Verification Server is a 
completely new, turnkey solution for our cus¬ 
tomers," said Bud Walker, product manager 
at Melissa Data."The server incorporates our 
proven data quality architecture in off-the- 
shelf hardware so users can get it up and 
running in minutes. And, the server automat¬ 
ically fetches and installs the latest contact 
datasets for headache-free maintenance." 

The server is built by Dell and carries a 
flexible support contract from Melissa Data 
to troubleshoot and repair services, and 
mission critical replacement, if necessary. 
For more information, visit www 
.MelissaData.com/CVS. 
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janusSEAL email security 


to provide admins with 
tools to fully customize 
outbound emails with 
unique branding; and 
email routing to create 
multiple email drop- 
boxes to automatically 
route inbound messages. 

To learn more, visit www 
.teamsupport.com. 

janusNET Makes 
Mobile Email More 
Accessible 

janusNET has announced janusGATE 
Mobile, a solution that lets organizations 
manage and control email delivery to 
any smartphone platform, including iOS, 
Android, Symbian, Windows Mobile, and 
Blackberry. Greg Colla, Managing Director 
at janusNET says: "Convention has it that 
the provision of mobile e-mail services 
should be limited to senior executives 
and mobile workers. The main constraint 
to further rollout has been the huge 
expense of deploying and operating a 
large fleet of fully managed, approved, and 
policy controlled company smartphones." 
Features include message management 
and monitoring; privacy 
policy enforcement; 
classifications; and Word, 

Excel, and PowerPoint 
support. To learn more, 
visit www.softek.co.uk. 


InMage Announces 
Disk Backup and 
Disaster Recovery 
Software 

InMage has announced 

vContinuum, a software 


Specify the security classification 
C PERSONAL 
r PUBLIC 
C CONFIDENTIAL 


Qualifier: 


Send 


Cancel 


Help 


product designed for disk backup and 
disaster recovery of VMware ESX and 
vSphere virtual machine (VM) environ¬ 
ments. Features of the product include: 
elimination of backup windows; applica¬ 
tion consistency; long-term data retention 
on disk; file-level recovery; and utilization 
of target storage capacity. In addition, 
vContinuum's GUI offers a way to perform 
application-aware protection and recovery 
at the VM level. It automates VM discovery, 
creation of protection policies, operational 
recovery scenarios, and performs push¬ 
button failover and fallback operations. For 
more information about this product, visit 
www.mmage.com. W 
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Microsoft Security Essentials 2 

PROS Free, effective, lightweight 

CONS No central management or support for 
businesses; should be part of Windows 

RATING: ♦♦♦♦O 

RECOMMENDATION: While Microsoft is 
edging ever-doser to simply bundling antivirus 
and anti-malware capabilities with Windows 
(as it should), the company's not there yet. 

But the next best thing is providing users with 
an absolutely free AV/anti-malware solution, 
which is what Microsoft is doing with the 
newly released Security Essentials 2 product. 

It's available for consumers everywhere and 
also for small businesses with 10 or fewer 
desktops. It's small, light, and virtually invisible 
from the user's perspective, which is great, and 
despite some FUD from competing AV vendors, 
it scores well in real-world detection and 
removal tests. My beefs are few but important: 
It should be given to all Windows users, includ¬ 
ing those at businesses, and it should be part 
of the base OS. 

CONTACT: Microsoft • www.microsoft.com 

DISCUSSION www.winsupersite.com/ 

article/windows-7/Microsoft-Security- 

Essentials-2.aspx 


Google Chrome OS Preview 

PROS: Lightweight, cloud-based system; 
familiar browser-based Ul 

CONS No real local resources or storage; 
incomplete; perhaps a bit too different 

RATING: ♦♦♦00 

RECOMMENDATION: After promising to 
deliver its browser-based Chrome OS by the 
end of 2010, Google instead delayed the 
release until sometime in 2011, offering up a 
beta version instead. It's actually pretty impres¬ 
sive looking and (along with the iPad) points 
to a future computing model that is simpler 
and more pervasively connected than today's 
PCs. But Chrome OS could also face a bit of 
a backlash from users who expect rich local 
resources like copious amounts of storage, and 
digital media content. Will Chrome OS be a hit? 
It's hard to say, but I expect ideas from this OS, 
at least, to make their way into mainstream 
computing in 2011. 

CONTACT Google • www.google.com 

DISCUSSION www.winsupersite.com/ 

artide/intemet/Google-Chrome-vs-the-World- 

Part-3-Chrome-OS.aspx 
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REVIEW 


NEC Express5800/R320 


The NEC Express5800/R320 is a fault- 
tolerant server that's ideally suited to 
mission-critical virtualization, database, 
and email tasks—all the vital services that 
your organization depends on. I reviewed 
a NEC Express5800/R320 4U rack-mounted 
server with two CPU modules that are kept 
in lockstep. The CPU modules aren't simply 
individual processors. Instead, each CPU 
module is a completely enclosed 2U unit- 
each module contains its own six-core 
Intel Xeon CPU, motherboard, RAM, power 
supply, and hard drives. Each CPU module 
slides into a chassis that you mount in your 
rack. 

The NEC 5800's mission-critical design 
was apparent immediately, beginning 
with my out-of-the-box experience. Unlike 
most servers that are shipped in a standard 
corrugated box, the NEC 5800 comes on 
a wooden pallet. After opening the box, 

I was a bit surprised to see that the unit 
required some assembly. My NEC contact 
told me that the company ships the unit 
with each CPU module packaged sepa¬ 
rately to improve shipping reliability. Each 
CPU module is housed in a steel case. The 
chassis is also extremely rugged and made 
out of steel. As you might guess, this solid 
construction makes for a pretty heavy unit. 
The NEC 5800 weighs in at just about 105 
pounds. 

To install the unit, I basically slid each 
of the CPU modules into the chassis and 
fastened them in place using the thumb¬ 
screw latch assembly provided on the front 
of each CPU module. I then mounted the 
unit in the rack and connected it to the 
power and network. Each CPU module 
has its own power supply. The NEC 5800 
unit that I tested came equipped with one 
logical Xeon 5670 processor—a six-core 
CPU running at 2.93GHz, with the new Intel 
5500 chipset. My test unit had 4GB of RAM 
and 144GB of disk storage with a 73GB, 

2.5", 15,000rpm hard disk. 

Just to be clear, I use the term logical 
because the unit actually had two physical 
sets of CPU, motherboard, RAM, and disk 
storage—one set per CPU module. This 
redundant hardware is what enables the 
fault tolerance. Each CPU module can 
support up to 96GB of RAM running at 



1333MHz, as well as up to 4.8TB of Serial 
Attached SCSI (SAS) disk storage. 

Internally, there were two PCI Express 
2.0 expansion slots and two PCI Express 1.0 
expansion slots. On the back of each CPU 
module, there were three 1GB network 
ports. Two ports were intended for client 
networking activity, whereas the other port 
was intended for remote management. In 
total, there were four client network ports 
that were configured as a team using Intel's 

The NEC 5800 is an 
excellent performer, 
with test scores that 
are comparable to 
those of other high- 
end servers we've 
tested. 

Advanced Network Services (ANS) technol¬ 
ogy. The teaming technology provided 
fault tolerance for networking connectivity 
to the unit. 

Notably, the CPU modules themselves 
don't provide connections for a video 
display, keyboard, or mouse. Instead, the 
video, keyboard, and mouse connections 
were on the chassis—not on each CPU 
module. The integrated video controller 
provided 32MB of RAM and supported a 
maximum of 1280 x 1024 display resolu¬ 
tion. Like several of the newer servers I've 
tested, the NEC 5800 had no PS/2-style 


mouse and keyboard ports; the mouse 
and keyboard connections were USB only. 
You could use the port on the front of the 
unit or the ports on the back of the unit. 
Because two of these ports are required by 
the mouse and keyboard, I did wish that 
the unit had more USB ports available— 
especially on the front of the system. The 
front of the chassis provided a vertically 
mounted DVD drive and the single USB 
port. On the back, the chassis had the two 
additional USB ports, as well as the moni¬ 
tor port and two serial ports. 

The power switch is protected by a 
hard plastic flip cover designed to prevent 
accidently powering the unit on or off. 
When the unit is powered on, it takes a 
couple of minutes before it displays the 
BIOS setup prompt, then it continues its 
boot process like any standard server. 

After I initially powered the unit on, it went 
through a period of about a half hour 
while it synced the storage. A Ready to Pull 
light indicates when the unit is operating 
in fault-tolerant mode. At first, the unit 
wouldn't go into fault-tolerant mode. 
However, after I reconfigured the network 
teaming, the Ready to Pull light came on 
and the unit was fully fault tolerant. 

I tested the NEC 5800 by setting up four 
virtual machines (VMs) and running our in- 
house virtualization test suite. Each VM was 
running Windows Server 2008 Enterprise 
Edition with the Hyper-V role installed and 
a single instance of SQL Server 2005 Enter¬ 
prise Edition. The VMs were all configured 
to use 512MB of RAM and the VM files were 
stored on the local drives. The use of NIC 
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Figure 1: FTServer utility 


teaming made this unit a bit different to 
set up because Hyper-V's external network¬ 
ing needed to be pointed to the network 
team name rather than using a physical 
network adapter. 

The test suite consists of a mixed work¬ 
load of database queries running on four 
active VMs. The database tests run a set of 
27 queries against each virtual SQL Server 
instance. The NEC 5800 proved to be an 
excellent performer, with test scores that 
were comparable to other high-end serv¬ 
ers we've tested. However, the NEC 5800's 
built-in fault tolerance really set it apart 
from other servers. 

While running the SQL query test suite, 

I tried a number of different tests, including 
pulling the power cord out of the back of 
one CPU module, then putting it back in 
and pulling the power cord out of the sec¬ 
ond CPU module. I also pulled out all the 
network connections from one of the units, 
then put them back in. The NEC 5800's 
fault tolerance worked exactly as adver¬ 
tised. The server continued processing the 
queries with no noticeable slowdown and 
absolutely no interruption of services. 

After I reconnected the power, the 
unit took a few minutes for the two CPU 
modules to resynchronize. The resynchro¬ 
nization process was completely automatic 
and there was no operator action required. 
The time required for synchronization 


depends in part on the workload the unit 
is handling. Under heavy workload, the 
resynchronization took upwards of 20 to 30 
minutes. When the workload subsided, the 
resynchronization completed in a couple 
of minutes. During the resynchronization 
period, the unit isn't fault tolerant; I needed 
to wait until the Ready to Pull light was relit 
to perform another test. When the Ready 
to Pull light came back and the NEC 5800 
was fully fault tolerant again, I performed 

The NEC 5800's fault 
tolerance just works. 

many additional tests with no problems. 
The NEC 5800's fault tolerance just works. 

Managing the NEC 5800 is much the 
same as for a regular Windows server. The 
interface is essentially the same, with famil¬ 
iar tools such as Server Manager, Hyper-V 
Manager, and SQL Server Enterprise Man¬ 
ager for SQL Server management. All these 
tools work exactly as you would expect 
them to. NEC provides two additional tools 
to manage the system's fault tolerance: the 
FTServer utility, which Figure 1 shows, and 
an RDR utility. 

The FTServer utility manages the fault 
tolerance of the CPU and PCI devices. It 
tracks failure information, and it provides 
the ability to bring CPU and PCI modules 


online and offline. The RDR utility manages 
disk fault tolerance and shows you the 
status of all the drives in each CPU module, 
as well as the current resynchronization 
level when the CPU modules resynchronize 
after a failure. 

As you might expect from a high- 
availability server, the NEC 5800 provides 
a robust set of remote-management capa¬ 
bilities. You can connect remotely to the 
NEC 5800 by directing your web browser 
to the IP address of its management net¬ 
work adapters. You're then presented with 
a sign-on screen; after entering the appro¬ 
priate authentication information, you can 
perform a number of remote management 
actions, including powering the unit on 
or off. Notably, the remote management 
works even when the server is powered 
down. To enable this level of management, 
the unit never really completely powers off 
while the power supplies are connected. 
Sitting idle at what could be considered a 
power-off condition, the unit consumed 
about 53 watts. While running under the 
workload generated by our virtualization 
test suite, the unit consumed about 520 
watts. 

The NEC 5800 is an excellent platform 
for mission-critical workloads such as 
virtualization and database serving. This 
fully fault-tolerant server can endure a 
CPU, motherboard, network, or storage 
hardware failure and continue to provide 
end-users services with no interruption. 

As you might expect, the unit costs more 
than a standard server—but if you need 
scalability and extreme availability, the NEC 
5800 is an excellent solution. ^ 

InstantDoc ID 128943 

NEC Express5800/R320 

PROS: Full industrial-strength fault tolerance; 
excellent scalability; rugged construction 

CONS: More expensive than a standard server; 
only one USB port on the front of the unit 

RATING: 

PRICE: Starts at $25,299 

RECOMMENDATION: The NEC Express5800/ 
R320 is an excellent choice for implementations 
requiring enterprise-class scalability and true 
mission-critical availability. 

CONTACT: NEC • 800-338-9549 • www.necam 
.com 
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Unify Audit Manager 



Figure 1: Unify Audit Manager interface 


The robust ability of Ensim's Unify Audit 
Manager to capture and track changes to 
Active Directory (AD) starts with brand- 
new functionality in Windows Server 
2008's Active Directory Domain Services 
(AD DS), which now audits old and new 
values when changes are made to objects 
and their attributes. Ensim has created an 
extremely lightweight agent that simply 
extends Server 2008's built-in functionality. 

Unify Audit Manager is installed on 
a dedicated audit server and requires a 
SQL Server database to store the logged 
activities. Which SQL Server edition you 
choose depends on the size of your data¬ 
base. Unless you have an extremely small 
environment, I recommend going with the 
full SQL Server implementation, with its 
unlimited database size—just to be safe. 

How fast will the database grow? There 
isn't an exact answer to this question, but 
each action in AD (e.g., add, delete, move, 
change) generates about 10 events in 
the event log and takes up about 2KB per 
action. If you had 10,000 events per week, 
the database might grow 1GB per year. 

As soon as the audit server is prepped 
with an instance of SQL Server, a stand¬ 
alone application, UAMDBSetup.exe, cre¬ 
ates the database tables, views, and stored 
procedures that are needed to store the 
event logs. This process is slick and easy 
compared with that of other applications 
I've used that create a back-end database. 

The next step is to install the agents 
onto each DC in the domain. I was pleased 
to find that the agent is included as an MSI 
file, so this step can easily be automated by 
configuring Group Policy on the DC's orga¬ 
nizational unit (OU).This approach would 
ensure that every DC in your domain has 
the agent. 

Now, you need to enable auditing 
on the domain. The included installation 
guide walks you through this simple pro¬ 
cess, which you must complete only once 
(not for each DC). 

You must also configure the event log 
to set the maximum log size so that the 
logs don't grow out of control. You need 
to configure the event log on each DC, so 
you should consider using Group Policy 


on the DC's OU to automate the settings 
domain-wide. (Using Group Policy would 
also prevent a rogue administrator from 
altering the event log settings.) 

The web Ul provides a portal into the 
events to query. To configure the web Ul, 
install UAMWebUISetup.msi. Note that IIS 
is required. The Report Scheduler service is 
also installed, preferably on the SQL Server 
system (to avoid excessive network traffic). 
Microsoft Excel 2007 on the Report Sched¬ 
uler server is a prerequisite. 

The tool itself, which Figure 1 shows, is 
extremely simple to navigate. With just a 
couple of clicks, you can quickly query by 
a specific date or by domain (if monitor¬ 
ing multiple domains), object type (e.g., 
User, Computer, Group), object name, or 
operation (e.g., created, deleted, modi¬ 
fied). Three built-in queries are included: 
Show all Directory Service changes, Show all 
changes within last 24 hours, and Show all 
User object changes. 

In addition to AD changes, Unify 
Audit Manager also tracks Group Policy 
changes. The top of the Unify Audit 
Manager console continually shows the 
latest statistics and other useful infor¬ 
mation, including number of Directory 
Service changes, number of Group Policy 
changes, current database size, and date 
of last change. 

The console provides another very 
important piece of information: the data¬ 
base server time zone. Knowing this time 


zone is imperative because all events are 
logged within the database server's time 
zone, not the DC's time zone. 

In reviewing Unify Audit Manager, the 
only negative I could find (other than the 
fact that it works only on Server 2008 or 
later domains) is the lack of a way to man¬ 
age what will eventually become years and 
years worth of event logs. A mechanism to 
archive unneeded logs would be a great 
future addition. 

Unify Audit Manager is extremely 
simple to set up, and the product uses 
functionality that's already built into Server 
2008. The queries are easy to master, and 
the information that systems administra¬ 
tors, security analysts, or pesky auditors 
need is right at your fingertips. And at only 
$5 a user, it's very affordable. ^ 

InstantDoc ID 129155 


Unify Audit Manager 

PROS: Simple query tool; easy to use; 
rock-bottom price 

CONS: Requires Server 2008; no built-in ability 
to archive old data 

RATING: 

PRICE: $5 per user; discounts available 

RECOMMENDATION: Unify Audit Manager gets a 
strong recommendation, particularly if you're run¬ 
ning Server 2008 and need auditing that doesn't 
require SQL Server certification. 

CONTACT: Ensim • 877-693-6746 • www.ensim 
.com 
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VIPRE Enterprise Premium 4.0 



Figure 1: Configuring IDS rules 


Considering the numerous layers of 
security defenses that can be deployed to 
protect OSs in today's high-threat environ¬ 
ment, an all-in-one endpoint security 
solution is an attractive option. VIPRE 
Enterprise Premium 4.0 is such a solution. 

Installing VIPRE is a fast, wizard-driven 
process that configures the VIPRE Site 
Service (VSS), Administration Console, 
Report Viewer, or a combination of the 
three. VIPRE uses a database back end; you 
can install SQL Server 2005 Express Edition 
(included), or you can direct VIPRE to an 
existing SQL Server installation. The Data¬ 
base Configuration Wizard configures the 
necessary access to the chosen database 
server, then creates the required database 
and tables. Installation continues with the 
Site Service Configuration Wizard and lets 
you define basic settings. 

You should configure the default agent 
policy, or create additional policies, before 
distributing VIPRE agents to endpoints. 
Many of the settings you might expect to 
be enabled, such as on-access scanning, 
email client integration, and stopping Win¬ 
dows Defender, are turned off by default. 

The VIPRE agent contains an advanced 
firewall that includes process protection 
for preventing unknown code-injection 
attacks, boot-time protection, code-injec¬ 
tion logging, and an intrusion detection 
system (IDS) based on Snort that can be 
enabled or disabled independently from 
the firewall. You can also add to the IDS 
rules provided out-of-the-box, as Figure 1 
shows. You can set web filtering options to 
further protect users in the browser. A URL 
blacklist is provided, and you can block 
advertisements to help speed up browsing. 

VIPRE endpoints can act as agents in 
Network Access Control (NAC) systems 
from most of the top vendors. Unlike some 
of the competition, however, VIPRE doesn't 
include the necessary server components 
for a complete NAC setup. 

VIPRE includes basic application con¬ 
trol. However, I found it to be less flexible 
than AppLocker or Windows'software- 
restriction policies. 

Installing agents on endpoints can be 
a pain point with antivirus suites. VIPRE 
lets you push-install the agent from the 


console, or create a 
.msi or .exe installer for 
deployment using a soft¬ 
ware distribution system, 
such as Group Policy 
Software Installation 
(GPSI) or System Center 
Configuration Manager. 

You can add clients 
to a policy by selecting 
them from Active Direc¬ 
tory (AD) or specifying 
networks or ranges of IP 
addresses. To perform 
a push install from the 
VIPRE console, you must 
first disable Windows 
Firewall on the end¬ 
points. You must also 
manually set an inbound firewall exception 
on the server on which VSS is installed. 
Endpoints must be rebooted to complete 
the agent-installation process. 

When policy settings are modified in 
the Administration Console, those changes 
are pushed out to agents very quickly. VSS 
uses minimal resources on the server, and 
the agent didn't appear to significantly 
affect response times on clients—although 
a slight slowdown should be expected 
with so much complexity. VIPRE can be 
configured so that notebook users auto¬ 
matically receive updated virus definitions 
directly from Sunbelt Software. 

The Report Viewer, a separate applica¬ 
tion that can be launched from the VIPRE 
Administration Console, offers a limited 
set of reports out-of-the-box. I noticed 
that the VIPRE agent console on one of 
my endpoints stated that there had been 
62 low-risk intrusions blocked by IDS, but 
no report was available to give me further 
details on the intrusion attempts. However, 
detailed information is available in the 
Firewall History tab on the client. Although 
the included reports are limited in scope, 
those that do exist are customizable. 

Although VIPRE Enterprise Premium 
is easy to use and has the core features 


you'd expect, it doesn't provide the same 
comprehensive protection as other more 
mature suites on the market, such as 
Sophos Endpoint Security and Control or 
Symantec Endpoint Protection. In addi¬ 
tion, VIPRE lacks support for Linux, UNIX, 
Novell NetWare, and OpenVMS. Unless 
you have a Windows- and Mac-only shop 
with AppLocker, NAC, and device control 
already in place, consider looking at other 
endpoint security suites for more compre¬ 
hensive protection. ^ 

InstantDoc ID 129300 


VIPRE Enterprise Premium 4.0 

PROS: Easy to set up and manage; light on 
system resources; includes IDS, ad blocking, and 
URL blacklist 

CONS: Lacks flexible application whitelisting, 
device control, and a NAC server; limited report¬ 
ing and support for client OSs 

RATING: 

PRICE: 

RECOMMENDATION: Because VIPRE doesn't 
include an AppLocker equivalent, NAC, and 
device control, consider other endpoint security 
suites for a more comprehensive solution. 

CONTACT: Sunbelt Software • 888-688-8457 • 
www.sunbeltsoftware.com 
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BUYER’S GUIDE 


Enterprise Systems 
Management 

Look into your options before making this big commitment 

by ZacWiggy 


Editor's note: See the online version of this article at www 
. windowsitpro.com, InstantDoc ID 129339for this month's buyer's 
guide chart. 

hoosing a systems management suite is an important 
commitment. Desktop and server OSs come and go, 
but ideally, your systems management suite will be 
working for your company permanently. 

For enterprises, a systems management suite is 
an even larger commitment than for smaller busi¬ 
nesses. These suites must manage and interact with thousands of 
machines, so deciding to change to another product will be expen¬ 
sive and exhausting. At this level, if your systems management suite 
isn't meeting your needs, you should seriously consider third-party 
add-ons to extend your suite rather than outright replacing it. 

Vendors sell systems management software in a variety of 
ways, but remember that at the most basic level, these tools exist 
to save your IT department man-hours by making their work more 
efficient. Look at what specific tasks your IT team spends its time 
on and consider how each suite would affect the time these tasks 
take. What seems like a small missing feature now might end up 
costing your team many hours later on, and what seems like a 
major feature might pay off only a few times. 

High-quality enterprise-class systems management suites are 
a big investment, so there's no excuse for skimping on research 
here. Use the buyer's guide table with the online version of this 
article only to jumpstart your research, and remember that some 
products might have been left out, either as an oversight or from 
lack of vendor response. 

Ready for Trends 

Virtualization is a must-have these days, to the point that some 
people are starting to consider virtualization a skill that all IT pros 
need, rather than a specialty. Virtual Exchange, virtual SQL Server, 
and virtual SharePoint are all common and becoming more com¬ 
mon. In the same way, your systems management tools will almost 
certainly be managing some virtual servers, and likely some virtual 
desktops, before long. If your systems are already partly virtual, 
they'll become more virtual. 

Consider the virtualization solutions you already use and those 
you might use in the future. Mixed environments—with differ¬ 
ent hypervisors, server virtualization, desktop virtualization, and 
application virtualization all working together—are becoming the 


norm, and your systems management tools needs to be able to 
handle them. 

Your systems management suite will also need to be able to 
handle environments that are mixed in the sense that they contain 
machines other than Windows computers. The Mac is making seri¬ 
ous progress, especially in the minds of consumers. Linux servers 
are fairly likely to be present in your network, and there's always a 
chance that there'll be a need for Linux PCs, too. Mobile phones 
are getting more powerful, practically by the day, and the iPad and 
other tablets running smartphone OSs are likely to show up in your 
environments. It's possible that "bring your own PC" workplaces 
are going to catch on in the near future, too. All of these devices 
bring management problems with them, and you need your sys¬ 
tems management suite to help. 

Even if you're able to restrict your business to Windows 
PCs, you're not going to be able to get away with skimping on 
OS deployment features. Windows 7 is a serious upgrade from 
Windows XP, and if your company hasn't started that migration, 
you're going to have to come up with a plan before XP support 
ends. Recent versions of Windows Server have also gotten very 
good press within the IT community, so you should be ready to 
move to them, too. 

Questions and Answers 

As with any IT purchasing decision, the most important factor in 
choosing a systems management suite is to know exactly what you 
have and exactly what you'll need. The IT landscape changes very 
rapidly, so you shouldn't forget to account for what you'll be dealing 
with in the future, too. It's hard to predict how rapidly your vendor will 
update its technology to deal with the latest trends, so it's a good idea 
to contact other customers to see how happy they are with updates. 

Also as always, make sure you have a clear picture of exactly what 
you're getting from a management suite vendor. Software licensing 
contracts are notoriously complicated, so be thorough. You don't want 
to add one too many machines and be stuck paying a huge bill, or have 
to spend more to get a feature you assumed was included. ^ 
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INSIGHTS FROM THE INDUSTRY 


IT Teams Lack Appropriate Tools to Manage 
Cloud and Virtual Networks 


I always look forward to the release of 
Network Instruments'annual State of the 
Network Global Study. This is the com¬ 
pany's fourth year conducting the study, 
which is consistently revealing about 
industry challenges and concerns. When 
I spoke with Network Instruments'Brad 
Reinboldt and Steve Brown, they said 
that the key findings of this year's results 
show a majority of companies imple¬ 
menting new technologies, but lacking 
appropriate tools to accurately manage 
performance. 

Top Findings 

The 2010 study of more than 250 net¬ 
work professionals had the following 
highlights: 

• Cloud embracement on the rise—54 
percent have implemented cloud 
computing. 

• Difficulties monitoring the cloud—56 
percent lack appropriate tools to 
troubleshoot cloud problems. 

• Real cloud gains—47 percent report 
improved application availability and 
lower infrastructure costs by moving to 
the cloud. 

• Strong future for videoconferencing—90 
percent will have deployed 
videoconferencing within 24 months. 

• Virtualization blind spots—35 percent 
indicated troubleshooting abilities 
worsened after implementing 
virtualization. 

• Greatest troubleshooting challenge—85 
percent cited identifying the problem 
source. 

"While network teams saw substantial 
benefits from cloud computing, virtualiza¬ 
tion, and unified communication initiatives, 
they are spending more time managing 


and troubleshooting related performance 
problems,"said Reinboldt. "I was surprised 
by the number of organizations failing to 
verify if their monitoring solutions support 
these environments. If IT can't address 
these problems, they risk not only degrad¬ 
ing application performance but threaten¬ 
ing overall business productivity." 

Cloud Computing 

A third of organizations utilize some form 
of Software as a Service (SaaS), such as 
SalesForce.com or Google Apps. One- 
quarter have invested in private clouds, 
and a small but significant number (13 
percent) rely on Infrastructure as a Service 
(laaS), such as Amazon Elastic Compute 
Cloud. 

Fifty-six percent of respondents said 
the chief challenge to managing cloud per¬ 
formance is a lack of appropriate monitor¬ 
ing tools. Forty-two percent are concerned 
with bandwidth demands breaking the 
budget and 39 percent report data security 
concerns in the cloud. 

Although network teams find the 
technology challenging, 85 percent of 
respondents indicated their organization 
realized clear benefits from the migra¬ 
tion. The primary two benefits to cloud 
computing are greater flexibility to adapt 
to business changes and improved applica¬ 
tion availability. 

Videoconferencing 

Despite economic considerations at the 
forefront of every IT department discus¬ 
sion, videoconferencing is no longer seen 
as a luxury but a necessity that has been 
pushed into the mainstream. Nearly two- 
thirds of respondents have implemented 
some type of videoconferencing, with 
that number approaching 90 percent 


in the next two years. The majority of 
respondents have multiple deployments 
throughout their organization, including 
standard conference rooms (74 percent), 
desktop PCs (60 percent), and telepresence 
systems (33 percent). 

Virtualization 

Compared to the past two years, the 
percent of respondents virtualizing 
infrastructure has stabilized in 2010 at 
nearly 80 percent. This marked a 5 percent 
rise over 2009. Though virtualization is 
largely contained to servers (43 percent 
virtualized over half of their servers), it is 
also migrating throughout the enterprise; 
over 40 percent have started to virtualize 
desktops. 

Energy and infrastructure cost savings 
are the chief factors driving virtualization, 
according to 80 percent of respondents. 
This was followed by improved application 
availability cited by nearly two-thirds of 
respondents. Interestingly, these gains did 
not necessarily lead to an improved user 
experience, as the majority of network pro¬ 
fessionals stated the experience remained 
the same. 

Despite virtualization's benefits, over 
one-third of respondents reported their 
ability to troubleshoot issues worsened 
after virtualizing data center resources. 

Performance Management 

When asked to identify the largest trouble¬ 
shooting challenges network profes¬ 
sionals face, 83 percent cited identifying 
the problem source. In one of the more 
significant trends of the study, the number 
of respondents indicating this problem 
as the largest issue has increased steadily 
over the last three years. 

—Jason Bovberg 
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INDUSTRY BYTES 


Not All Remote Devices Are Mobile: Managing 
Intelligent Connected Devices 


Have you ever been shopping at one of 
your favorite stores, gotten up to the regis¬ 
ter, and been unable to locate your card for 
that particular shop? (This always happens 
to me when I stop to pick up something 
at the grocery store because my wife 
carries those cards.) The cashier is usually 
happy to offer to look up your account by 
phone number or some other identifier 
right through the register. Now, have you 
ever thought of how that's made possible? 
Obviously they don't have a complete 
customer database in the register, or even 
at the store level. 

Fortunately, companies such as Odys¬ 
sey Software have been thinking about this 
very thing—remote device management 
for "intelligent connected devices."This 
point has been highlighted by Odyssey 
Software's announcement that the Coca- 
Cola Company is using the company's 
Athena remote management software, in 
conjunction with Microsoft System Center 
Configuration Manager 2007 (SCCM), to 
remotely manage the new and state- 
of-the-art Coca-Cola Freestyle beverage 
dispensers. 

First, a little bit about what these 
drink dispenser do. In this digital age 
of overwhelming choice, this fountain 
dispenser fits right in: A single dispenser 
provides an intuitive touch screen display 
with over 100 different beverage choices 
to quench your thirst from various Coca- 
Cola brands, including Coke, Diet Coke, 
Fanta, Dasani, and Minute Maid. You can 
also add additional flavors, such as orange 
or raspberry, to create flavors that aren't 
otherwise commercially available. The 
poor is based on microdosing technology, 
originally developed in the medical field, 
and the machine itself is outfitted with 
flavor or ingredient packets that are much 
like inkjet cartridges.The ingredients are 
injected directly into the poor stream, and 
from all accounts, the flavors are as pure as 
anything you've seen from Coke since its 
earliest days. 

Through the remote management 
piece, Coca-Cola is able to monitor and 
collect data both on the overall health 


of the machines as well as specific sales 
information. You can see a video below 
from CNBC that shows the Freestyle 
dispenser in action as well as some of 
its reporting features. Coca-Cola is still 
testing them in limited, though expand¬ 
ing, markets; you can see a list of current 
locations on the Coca-Cola Freestyle 
Facebook page. Personally, as an only- 
Coke-no-Pepsi person, I can't wait to give 
one a try. 

Odyssey Software partnered with 
Microsoft to work with Coca-Cola on 
this project, which has been ongoing for 
several years. As Odyssey Software CEO 
Mark Gentile explained, they were evalu¬ 
ated against other remote management 
contenders and ultimately Coke chose the 
Athena/SCCM combination for the project. 
"Configuration Manager is the back-end 
infrastructure, the management console 
... the single pane of glass for all the man¬ 
agement tasks, whether it's provisioning, 
or remote control, or 
things like that," Gentile 
said. "Athena is used on 
the device side, so it's 
our agent that's exclu¬ 
sively on the device 
side that's being used. 

It's also used on the 
ConfigMan side—we 
have some extensions 
that we install into the 
Configuration Manager 
environment, so it adds 
new features to the 
console to do things 
with these embed¬ 
ded devices or mobile 
devices that you typi¬ 
cally can't do out of the 
box with ConfigMan." 

I've spoken with 
Odyssey Software and 
looked at the Athena 
product several times 
over the years, but 
always as a mobile 
device management 
platform. However, 


as Gentile explained, the company is 
seeing things somewhat differently these 
days. "There's a need to manage mobile 
devices," Gentile said. "But really the 
category that we're in is about managing 
intelligent connected devices. Mobile is 
one segment of an intelligent connected 
device—that's one type. Smartphones 
are one type of an intelligent connected 
device. So is a cash register." And it's no 
surprise, therefore, that Athena is also 
licensed to companies that do the sort 
of cash register management that lets 
stores look up your various loyalty pro¬ 
gram cards when you wander in without 
them. 

It's exciting technology: both what 
Coca-Cola is doing with its innovative new 
fountain, and what Odyssey is doing with 
remote device management. I love it when 
some of my favorite things come together 
in unexpected ways. 

—B. K. Winstead 
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■ INDUSTRY BYTES 

Google Beats Microsoft to Win GSA Contract 


Google announced at the beginning of 
December that it had won a contract from 
the Government Services Administration 
(GSA) to move more than 17,000 employ¬ 
ees from Lotus Notes to Google Apps for 
Government. Google's victory is the end 
result of a six-month competition with 
several other large IT vendors who were 
also competing for the deal. 

The ongoing conflict between Micro¬ 
soft and Google over cloud-based apps 
has moved into new battlegrounds over 
the last year or so, with Google scoring 
wins in city government and education, 
while Microsoft managed to win over the 
City of New York to use Microsoft cloud- 
based services. The Microsoft and Google 
competition may be the most notable, but 
IBM, Cisco, and VMware are now compet¬ 
ing for customers that would have been 
considered safe and solid Microsoft clients 
just a few years ago. 


In a blog post announcing the GSA 
win (http://tinyurl.com/2b2v6o7), Google 
Federal Enterprise Team Director Mike 
Bradshaw touted Google's progress in 
meeting government IT needs. "Earlier this 
year, Google Apps became the first suite of 
cloud computing email and collaboration 
applications to receive Federal Information 
Security Management Act (FISMA) certifica¬ 
tion, enabling agencies to compare the 
security features of Google Apps to that of 
existing systems," Bradshaw wrote. "GSA is 
leading the way in embracing the federal 
government's "cloud first" policy." 

Microsoft didn't let Google's win go 
without comment: Microsoft Senior Direc¬ 
tor of Microsoft Online Services Tom Rizzo 
blasted the decision, writing a blog post 
that criticized Google's offerings as being 
unsuitable for business use. "There's no 
doubt that businesses are talking to Google, 
and hearing their pitch, but despite all the 


talk, Google can't avoid the fact that often 
times they cannot meet basic requirements." 
Rizzo writes."For instance, in California, the 
state determined that Google couldn't meet 
many of their basic requirements around 
functionality and security. 

Despite some well-publicized wins like 
the GSA victory, the fact is that Google still 
remains a very small player in government 
IT circles. That said, Google has made some 
startling inroads over the last 18 months 
with their Google Apps products with a 
variety of traditionally faithful Microsoft 
customers, including local and state gov¬ 
ernment, federal agencies, public school 
districts and universities. Microsoft is being 
forced to defend turf that it hasn't worried 
about for decades. 

Is Microsoft being a sore loser, or do you 
also believe Google's offerings are truly not 
ready for enterprise and government use? ^ 
—Jeff James 



nev 


... but we've been caught 
bragging now and then. 


That's why we're going to let our readers tell you 
why Windows IT Pro is the top independent 
? publication and Web site in the IT industry. 

o, direct from our readers'mouths (yes—really)! 

M 'The best windows environment magazine around — BAR NONE]!" 

—Joe A. Chief, Technical Section 


"No other magazine consistently provides timely, relative information 
that I can use in my everyday systems administration and systems 
engineering roles. Windows fTPro magazine has provided me with a 
wealth of information for over 10 years." 

—Ga ry T. Syste m s S pec ia I i s t 

"Lots of unique information using real-world scenarios" 

— B. R Senior Systems Analyst 

'The only magazine I get in print, so if f'm busy, f can read the issue later. 
This is one I never miss reading an issue." 

— R. Z. VP Microsoft Practice 


BiffiJflTft takewr word for it! Read our magazine 
or check out our web site today! Keep the discussions 
going by posting blogs, commentary, videos and more. 

www.windowsitpro.com 
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1&1® WEB HOSTING 



sm m m m w*. IwwH 



PROFESSIONAL 

WEBSITES 


1&1® HOSTING PACKAGES 

6 MONTHS 

FREE! 


As the world's largest web host, we know the developer 
features you need in a hosting package! 


.COm Domains Included 

.info .org All hosting packages include domains, 
, ne t free for the life of your package. 



Unlimited Traffic 

Unlimited traffic to all websites in your 
1&1 hosting package. 



Q + 


Developer Features 

Extensive language support with PHP 5/6 
(beta) with Zend Framework and git version 
management software. 

Online Marketing Tools 

SEO tools to optimize your website. 

1&1 Webstatistics makes it easy to monitor your progress. 


1&1® BUSINESS PACKAGE: 

■ 3 Included Domains 

■ Private Domain Registration 

■ 250 GB Web Space 

■ UNLIMITED Traffic 

■ NEW: Version Management 
Software (git) 

■ 2,500 E-mail Accounts 

■ 50 MySQL Database (100 MB) 

■ 25 FTP Accounts 

■ E-mail Marketing Tool 

■ 24/7 Toll-free Customer Support 



Need more domains? 

.info domain only $0.99 first year' 
.com domain only $4.99 first year' 




Green Data Centers 

We're committed to hosting your site with 
a minimal impact on the environment. 


More great offers available on our 
website! 



Get started today, call 1-877-GO-1AND1 www.1and1.com 


‘Offers valid for a limited time only. 12 month minimum contract Term applies for web hosting offers. Setup fee and other terms and conditions may apply. Domain offers valid first year only. After first year, standard 
pricing applies. Visit www,1andl,cotn for full promotional offer derails. Program and pricing specifications and availability subject to change without notice, 1&1 and the 181 logo are trademarks oM&l Internet AG, 
ail other trademarks are the property of their respective owners, © 2011 181 Internet, Inc. All rights reserved. 















DISCOVER WINDOWS IT PRO VIP 


Windows IT Pro VIP is the perfect tool for the IT pro who knows that 
15 minutes searching the Web is costing more than just time. 



WINDOWS IT PRO is: 


1. Educational — FREE eLearning courses and eBooks to keep your skills sharp 

2. Deep —over 41,000 articles on DVD and online, some exclusively for VIP members 

3. Broad —all the articles, solutions, and FAQs ever published in: 

Windows IT Pro 
SQL Server Magazine 
SharePointPro Connections 
DevProConn ectio n s 

4. Reliable —every solution has been road-tested by our experts 

5. Impartial —with technical editors who are shaping the industry 

6. Economical— more than $1,000 of resources for less than $17* a month 


Upgrade to VIP at windowsitpro.com/go/vip 


* Rates vary outside the U.5. 
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Search our network of sites dedicated to hands- 
on technical information for IT professionals. 

www.windowsitpro.com 
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Join our discussion forums. Post your questions 
and get advice from authors, vendors, and other 
IT professionals. 
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Get exclusive access to over 40,000 articles and 
solutions on CD and via the Web. Includes FREE 
access to eBooks and archived eLearning events, 
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mation on development for IT optimization, and 
solutions-focused articles at DevProConnections.com, 
where IT pros creatively and proactively drive busi¬ 
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specialized articles, member forums, expert tips, 
and Web seminars mentored by a community of 
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www.sharepointproconnections.com 
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"Windows IT Pro" as your search term. 
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■CTRL+ALT+DEL 

by Jason Bovberg 


You Are Now 

Under Our Control 


Product of the Month 

Perhaps the most eye-opening product we've heard about this 
month is NeuroSky's XWave headseat, a brainwave-powered 
piece of headgear that promises to "bring 'mind control' to mobile 
devices." According to NeuroSky, "the headset allows the wearer 
to harness the power of their brainwaves. Game players can move 
objects with their minds, monitor attention levels, measure their 
degree of relaxation state, and 'work out' their brain! For any 
stressed-out mom and business executive that swears they're a 
bit 'ADHD,' XWave helps to calm thoughts, improve attention, 
and take back control of the mind." The XWave headset uses 
Neurosky's ThinkGear technology to read the intensity of the 
wearer's brainwaves via one sensor on the forehead and a ground 
and reference contact point positioned on the ear. It's available 
for iPhone, iPad, and other mobile platforms for $99. Find more 
information atwww.plxdevices.com. 


NetBackup Administration Console 


. gem 

An invalid argument was encountered. 


OK 


Figure 1: One-sided argument 



Figure 2: Gimme a chance! 



USER MOMENT OF 
THE MONTH 

I worked for a telecom company some years ago, and 
was walking a new user through an installation, setting 
up a new modem. I was providing the user a unique 
code with which to access our secure installation por¬ 
tal, carefully reading each number and letter to him. 
I said something like, "Okay, now enter 3-T-6-R-V-E." 
He said, "Okay, hold on ..." and I could hear precise 
keyboarding over the phone. After a moment, he said, 
"Is that a capital 3?" I was struck silent. But he caught 
himself, laughing, asking me to repeat the code, which 
I did. And then, unbelievably, he asked, "What about 
the 6? Capital 6?" 

—Tim Waggoner 
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ADVERTISEMENT 


..ffiiNetWrix 

Systems Management and Compliance 

Yet Another 10 Free Tools for System Administrators 

Audit Active Directory and file servers, detect inactive users, block USB devices, and more - for free 

The following freeware tools by Windows IT Pro Community Choice Awards finalist NetWrix 
Corporation can save you a lot of time and make your network more efficient - at absolutely no cost 
Some of these tools have advanced commercial versions with additional features, but none of them 
will expire and stop working when you urgently need them. 

L Active Directory Change Reporter (Windows IT Pro Sep'09; Instant Doc ID 102446, Tech Target; www.tinyurl.com 
/2vg3os7) — This is a simple auditing tool to keep tabs on what’s going on inside Active Directory. The tool tracks changes 
to users, groups, OUs, and other types of AD objects, and sends sum mary reports with full lists of what was changed and 
how it was changed. In addition, it has a nice “rollback” feature that helps rollback unwanted changes (including deletions) 
V cry quickly. Down load link: WWW, 1 i ny u r 1 , com/3542hn p 

2. USB Blocker {Windows IT Pro Nov’09: InslantDoc ID 102860) — Users bring Ions of consumer devices: flash drives, 
MP3 players, cell phones, etc., into the office and this aptly-named tool can block them with a couple of mouse clicks to 
prevent the spread of a virus and to restrict the take-out of confidential information. The product is integrated with Active 
Directory and is very easy to use. Download link: www.tinyurl.com/3x22gqu 

i. Password Expiration Notifier (Redmond Magazine Feb’09,4sysops: www,tiny url.com/352ww6v)— This tool will 
automatically remind users to change passwords before they expire to keep you safe from password reset calls. It works 
nicely for users who don’t log on interactively and, thus, never receive standard password change reminders at log on time 
{e.g., VPN and OWA users). Download: www.tinyur1.com/32ncs65 

4 . Inactive Users Tracker (MS TechNet Magazine May’08: www.tmyurLcom/26wmsnu)— This feature tracks down 
inactive user accounts (e.g., terminated employees) so you can easily disable them, or even remove them entirely, to 
eliminate potential security holes. The tool sends reports on a regular schedule, showing what accounts have been inactive 
for a configurable period of time (e.g., 2 months). Download link: www.tinyurl.com/33a7wrt 

5. File Server Change Reporter (4sysops.com: www.linyurl.com/35y3wOx) — This tool enhances the line of auditing 
tools; this one for file servers. File Server Change Reporter detects changes in files, folders, permissions, tracks deleted, 
and newly-created files, and sends daily summary reports. This is a very useful tool to detect mistakenly-deleted files and 
recover from backup or to see if someone changes some important files. Download link: www.tinyurl.com/32xj4tm 

6 ■ Active Directory Object Restore Wizard (4sysops.com; www.tinyurl.com/28xonil2) — This tool can save the day 
if someone accidentally (or intentionally) deleted a bunch of Active Directory objects. It provides granular object-level 
and even attribute-level restore capabilities to quickly rollback unwanted changes (e.g., mistakenly deleted users, modified 
group memberships, etc). Download link: www.tinyurl.com/3a9xm6t 

7. VMware Change Reporter (TechTarget/SearchVirtualDesktop: www.tinyurl.com/39ohy6j) — If you don’t know 
w f hat is being changed by your colleagues in the VMware infrastructure, it’s very easy to gel lost and miss changes that 
can affect the things for which you are responsible. This tool tracks and reports configuration changes in VMware Virtual 
Center settings and permissions. Download link: ww w.tinyurl.com/33xf6wk 

5, Windows Service Monitor (WindowsReference.com: www.tinyurl.com/2w8uumj) — This veiy simple monitoring tool 
alerts you when some Windows service accidentally stops on one of your servers. The tool also detects services that fail to 
start at boot time, which sometimes happens, for example, with Exchange Server. 

Download link: vvwvv.linyiirl.com/3xur8et 

9 . Bidk Password Reset (reviewed by SoftPedia: www.tinyurl.com/38joj6x) - While most companies have strong 
password policies for their employees, one critical issue is still neglected: local Administrator passwords on all servers are 
usually managed in a “set and forget” fashion, sometimes using some “w'ell-known” passwords, opening a major surface 
for security attacks. The Bulk Password Reset tool quickly resets local account passwords on all servers at once, making 
them more secure. Download link: www.tinyurl.com/354durt 

/ft Disk Space Monitor (MS TechNet Magazine Sep’09: www.tinyur!xom/22mdg8x) — Even with today’s terabyte- 
large hard drives, server disk space tends to run out quickly and unexpectedly. This simple monitoring tool wall send you 
daily reports regarding all servers that are running low on disk space, below the configurable threshold. 

Download link: www.tinyurl.com/39r2ch9 


Smarter technology for a Smarter Planet: 

What database integration means 
to this blood sample. 

It means doctors in Ethiopia wilt be able to instantly compare this blood sample to over 41,000 HIV treatment 
histories to help their patients receive the best treatment regimen possible. The EuResist Network is helping 
doctors predict patient response to various HIV treatments with over 78% accuracy ““Outperforming 9 out of 10 
hufnan experts in a recent study. The tool is built on an IBM analytics solution that integrates a variety of disparate 
databases onto a flexible IBM DB2* platform to process complex metadata more effectively than anything else 
on the market A smarter organization is built on smarter software, systems and services. 


Let's build a smarter □ Janet. ibm.com/hosDital v 1 1 











